{"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]}
| Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]} |
| Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://computername/printers/printername/.printer |
| Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://investor.msn.com |
| Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://investor.msn.com/ |
| Source: MSID8B1.tmp, 00000006.00000002.2096383823.00000000020A0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2344296139.0000000001C70000.00000002.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
| Source: explorer.exe, 00000008.00000000.2107572712.0000000004F30000.00000002.00000001.sdmp | String found in binary or memory: http://servername/isapibackend.dll |
| Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://treyresearch.net |
| Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://wellformedweb.org/CommentAPI/ |
| Source: MSID8B1.tmp, 00000006.00000002.2096383823.00000000020A0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2344296139.0000000001C70000.00000002.00000001.sdmp | String found in binary or memory: http://www.%s.comPA |
| Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww |
| Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://www.hotmail.com/oe |
| Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://www.iis.fhg.de/audioPA |
| Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
| Source: explorer.exe, 00000008.00000000.2112003185.000000000856E000.00000004.00000001.sdmp | String found in binary or memory: http://www.piriform.com/ccleaner |
| Source: explorer.exe, 00000008.00000000.2112003185.000000000856E000.00000004.00000001.sdmp | String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv |
| Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://www.windows.com/pctv. |
| Source: msiexec.exe, 00000004.00000002.2097975295.0000000000330000.00000004.00000020.sdmp, msiexec.exe, 00000004.00000002.2098042878.00000000003BA000.00000004.00000020.sdmp | String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi |
| Source: msiexec.exe, 00000004.00000002.2098087183.0000000000566000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000002.2098074405.0000000000466000.00000004.00000001.sdmp | String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi/qn |
| Source: msiexec.exe, 00000004.00000002.2097965804.0000000000324000.00000004.00000040.sdmp | String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi/qnG |
| Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F00C4 NtCreateFile,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F0048 NtProtectVirtualMemory,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F0078 NtResumeThread,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EF9F0 NtClose,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EF900 NtReadFile,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFAE8 NtQueryInformationProcess,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFBB8 NtQueryInformationToken,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFB68 NtFreeVirtualMemory,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFC90 NtUnmapViewOfSection,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFC60 NtMapViewOfSection,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFD8C NtDelayExecution,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFDC0 NtQuerySystemInformation,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFEA0 NtReadVirtualMemory,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFFB4 NtCreateSection,LdrInitializeThunk, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F10D0 NtOpenProcessToken, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F0060 NtQuerySection, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F01D4 NtSetValueKey, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F010C NtOpenDirectoryObject, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F1148 NtOpenThread, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F07AC NtCreateMutant, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EF8CC NtWaitForSingleObject, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EF938 NtWriteFile, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F1930 NtSetContextThread, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFAB8 NtQueryValueKey, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFA20 NtQueryInformationFile, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFA50 NtEnumerateValueKey, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFBE8 NtQueryVirtualMemory, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFB50 NtCreateKey, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFC30 NtOpenProcess, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFC48 NtSetInformationFile, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F0C40 NtGetContextThread, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F1D80 NtSuspendThread, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFD5C NtEnumerateKey, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFE24 NtWriteVirtualMemory, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFFFC NtCreateProcessEx, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFF34 NtQueueApcThread, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F00C4 NtCreateFile,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F07AC NtCreateMutant,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFAB8 NtQueryValueKey,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFAE8 NtQueryInformationProcess,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFB50 NtCreateKey,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFB68 NtFreeVirtualMemory,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFBB8 NtQueryInformationToken,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EF900 NtReadFile,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EF9F0 NtClose,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFFB4 NtCreateSection,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFC60 NtMapViewOfSection,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFD8C NtDelayExecution,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFDC0 NtQuerySystemInformation,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F0048 NtProtectVirtualMemory, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F0078 NtResumeThread, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F0060 NtQuerySection, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F10D0 NtOpenProcessToken, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F010C NtOpenDirectoryObject, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F1148 NtOpenThread, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F01D4 NtSetValueKey, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFA20 NtQueryInformationFile, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFA50 NtEnumerateValueKey, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFBE8 NtQueryVirtualMemory, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EF8CC NtWaitForSingleObject, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EF938 NtWriteFile, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F1930 NtSetContextThread, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFE24 NtWriteVirtualMemory, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFEA0 NtReadVirtualMemory, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFF34 NtQueueApcThread, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFFFC NtCreateProcessEx, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFC30 NtOpenProcess, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFC48 NtSetInformationFile, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F0C40 NtGetContextThread, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFC90 NtUnmapViewOfSection, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFD5C NtEnumerateKey, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F1D80 NtSuspendThread, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099D50 NtCreateFile, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099E00 NtReadFile, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099E80 NtClose, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099F30 NtAllocateVirtualMemory, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099DFB NtReadFile, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099F2B NtAllocateVirtualMemory, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E93CE NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E9862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E93D2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E9DAE NtResumeThread,NtClose, |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008FE0C6 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0092D005 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0091905A |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00903040 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008FE2E9 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009A1238 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008FF3CF |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009263DB |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00902305 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00907353 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0094A37B |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00935485 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00911489 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0093D47D |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0091C5F0 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090351F |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00904680 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090E6C1 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009A2622 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0098579A |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090C7BC |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009357C3 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0099F8EE |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090C85C |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0092286D |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009A098E |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009029B2 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009169FE |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00985955 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009B3A83 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009ACBA4 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0098DBDA |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008FFBD7 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00927B00 |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0099FDDD |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00930D3B |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090CD5B |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00932E2F |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0091EE4C |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00910F3F |
| Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0092DF7C |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022A1238 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021FE2E9 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02202305 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0224A37B |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02207353 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022A63BF |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021FF3CF |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022263DB |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0222D005 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02203040 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0221905A |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021FE0C6 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022A2622 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0224A634 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02204680 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220E6C1 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220C7BC |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0228579A |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022357C3 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0223D47D |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02235485 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02211489 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220351F |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02246540 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0221C5F0 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022B3A83 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02227B00 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022ACBA4 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021FFBD7 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0228DBDA |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0222286D |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220C85C |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0229F8EE |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02285955 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022029B2 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022A098E |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022169FE |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02232E2F |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0221EE4C |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02210F3F |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0222DF7C |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02230D3B |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220CD5B |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0229FDDD |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0009E071 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0009E5FC |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00082D87 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00082D90 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00089E30 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00082FB0 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E9862 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E1069 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E1072 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E8132 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024EDA6F |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024EAA32 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024EDB0E |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E5B1F |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E5B22 |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E2CEC |
| Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E2CF2 |
| Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\SysWOW64\wininit.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
| Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Play interactive tour
Edit tour
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node