{"C2 list": ["www.cryptoinhindi.online/nmks/"], "decoy": ["sunaoto.net", "uddeshyaheen.com", "memesyndicste.com", "wellnessbytanyabawa.com", "winabeel.com", "santabirria.com", "whatmattersindia.com", "3rdimultimedia.com", "koukismile.com", "hellobabymoccs.com", "marziehmakeup.com", "faiyou.com", "redbarnprovisions.com", "odmgl.com", "usevino.xyz", "csyczp.com", "gutfeelings.club", "coscos.xyz", "moodoo.icu", "thedarktechnician.com", "weebwrld.com", "wilsonmantels.com", "biodrains.com", "banqutstaff.com", "solomonislandsforum.com", "yolo-wear.com", "everylastdropinc.com", "dayblindstarstrategies.com", "freelancersarabia.com", "bellasnicolejewelrymd.com", "oscarh.net", "actevate.xyz", "apa168.com", "paintonpurposeofficial.com", "hrvatskepraviceblog.com", "tednme.com", "truverity.study", "militarynotary.com", "advancedhorticulture.com", "bookmyfreelancer.online", "nieght.com", "yabancidiziozetleri.net", "bkoclchain.com", "ahwaday.com", "yandex-deliverry.online", "electronichaven.today", "islamidesign.com", "lagerungen.com", "uneducatedbyamerica.com", "78500605.xyz", "taichiforwellbeingonline.com", "philipsima.com", "ezljdah.com", "auserconsulting.com", "finrowacademy.com", "securitybyicon.com", "craveroots.com", "ppneumatic.com", "neiretec.com", "amazonemea.xyz", "3dpraclabs-virtual-physics.com", "fitnesstrainingco.com", "brsconsortuimltd.com", "rapiddist.com"]}
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.cryptoinhindi.online/nmks/"], "decoy": ["sunaoto.net", "uddeshyaheen.com", "memesyndicste.com", "wellnessbytanyabawa.com", "winabeel.com", "santabirria.com", "whatmattersindia.com", "3rdimultimedia.com", "koukismile.com", "hellobabymoccs.com", "marziehmakeup.com", "faiyou.com", "redbarnprovisions.com", "odmgl.com", "usevino.xyz", "csyczp.com", "gutfeelings.club", "coscos.xyz", "moodoo.icu", "thedarktechnician.com", "weebwrld.com", "wilsonmantels.com", "biodrains.com", "banqutstaff.com", "solomonislandsforum.com", "yolo-wear.com", "everylastdropinc.com", "dayblindstarstrategies.com", "freelancersarabia.com", "bellasnicolejewelrymd.com", "oscarh.net", "actevate.xyz", "apa168.com", "paintonpurposeofficial.com", "hrvatskepraviceblog.com", "tednme.com", "truverity.study", "militarynotary.com", "advancedhorticulture.com", "bookmyfreelancer.online", "nieght.com", "yabancidiziozetleri.net", "bkoclchain.com", "ahwaday.com", "yandex-deliverry.online", "electronichaven.today", "islamidesign.com", "lagerungen.com", "uneducatedbyamerica.com", "78500605.xyz", "taichiforwellbeingonline.com", "philipsima.com", "ezljdah.com", "auserconsulting.com", "finrowacademy.com", "securitybyicon.com", "craveroots.com", "ppneumatic.com", "neiretec.com", "amazonemea.xyz", "3dpraclabs-virtual-physics.com", "fitnesstrainingco.com", "brsconsortuimltd.com", "rapiddist.com"]} |
Source: Yara match | File source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY |
Source: | Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp |
Source: | Binary string: wntdll.pdbUGP source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp |
Source: | Binary string: cmd.pdbUGP source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000000.765256590.00000000011D0000.00000040.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe |
Source: | Binary string: cmd.pdb source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe |
Source: | Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose, | 15_2_011F31DC |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, | 15_2_011D85EA |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, | 15_2_011E245C |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, | 15_2_011DB89C |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, | 15_2_011E68BA |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: PO07262021.exe | String found in binary or memory: http://i.imgur.com/blkrqBo.gif |
Source: explorer.exe, 00000009.00000000.735427722.0000000002B50000.00000002.00000001.sdmp | String found in binary or memory: http://www.%s.comPA |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: PO07262021.exe, 00000000.00000003.647203244.000000000116D000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cnD |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: PO07262021.exe | String found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f |
Source: Yara match | File source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY |
Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00419D60 NtCreateFile, | 7_2_00419D60 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00419E10 NtReadFile, | 7_2_00419E10 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00419E90 NtClose, | 7_2_00419E90 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00419F40 NtAllocateVirtualMemory, | 7_2_00419F40 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00419E8B NtClose, | 7_2_00419E8B |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00419F3D NtAllocateVirtualMemory, | 7_2_00419F3D |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, | 15_2_011F6D90 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, | 15_2_011FB5E0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose, | 15_2_011DB42E |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx, | 15_2_011D84BE |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, | 15_2_011D58A4 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011DB4C0 NtQueryInformationToken, | 15_2_011DB4C0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken, | 15_2_011DB4F8 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, | 15_2_011D83F2 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011F9AB4 NtSetInformationFile, | 15_2_011F9AB4 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9780 NtMapViewOfSection,LdrInitializeThunk, | 15_2_03AA9780 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9FE0 NtCreateMutant,LdrInitializeThunk, | 15_2_03AA9FE0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9710 NtQueryInformationToken,LdrInitializeThunk, | 15_2_03AA9710 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA96E0 NtFreeVirtualMemory,LdrInitializeThunk, | 15_2_03AA96E0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA96D0 NtCreateKey,LdrInitializeThunk, | 15_2_03AA96D0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9A50 NtCreateFile,LdrInitializeThunk, | 15_2_03AA9A50 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA99A0 NtCreateSection,LdrInitializeThunk, | 15_2_03AA99A0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA95D0 NtClose,LdrInitializeThunk, | 15_2_03AA95D0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 15_2_03AA9910 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9540 NtReadFile,LdrInitializeThunk, | 15_2_03AA9540 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9860 NtQuerySystemInformation,LdrInitializeThunk, | 15_2_03AA9860 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9840 NtDelayExecution,LdrInitializeThunk, | 15_2_03AA9840 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA97A0 NtUnmapViewOfSection, | 15_2_03AA97A0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AAA3B0 NtGetContextThread, | 15_2_03AAA3B0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9730 NtQueryVirtualMemory, | 15_2_03AA9730 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9B00 NtSetValueKey, | 15_2_03AA9B00 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AAA710 NtOpenProcessToken, | 15_2_03AAA710 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9760 NtOpenProcess, | 15_2_03AA9760 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9770 NtSetInformationFile, | 15_2_03AA9770 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AAA770 NtOpenThread, | 15_2_03AAA770 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9A80 NtOpenDirectoryObject, | 15_2_03AA9A80 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9A20 NtResumeThread, | 15_2_03AA9A20 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9A00 NtProtectVirtualMemory, | 15_2_03AA9A00 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9610 NtEnumerateValueKey, | 15_2_03AA9610 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9A10 NtQuerySection, | 15_2_03AA9A10 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9660 NtAllocateVirtualMemory, | 15_2_03AA9660 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9670 NtQueryInformationProcess, | 15_2_03AA9670 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9650 NtQueryValueKey, | 15_2_03AA9650 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA95F0 NtQueryInformationFile, | 15_2_03AA95F0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA99D0 NtCreateProcessEx, | 15_2_03AA99D0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9520 NtWaitForSingleObject, | 15_2_03AA9520 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AAAD30 NtSetContextThread, | 15_2_03AAAD30 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9560 NtWriteFile, | 15_2_03AA9560 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9950 NtQueueApcThread, | 15_2_03AA9950 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA98A0 NtWriteVirtualMemory, | 15_2_03AA98A0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA98F0 NtReadVirtualMemory, | 15_2_03AA98F0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03AA9820 NtEnumerateKey, | 15_2_03AA9820 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00401026 | 7_2_00401026 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00401030 | 7_2_00401030 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_0041D9D8 | 7_2_0041D9D8 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_0041D1AB | 7_2_0041D1AB |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_0041D3C4 | 7_2_0041D3C4 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_0041E5F4 | 7_2_0041E5F4 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00402D90 | 7_2_00402D90 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00409E40 | 7_2_00409E40 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00409E3C | 7_2_00409E3C |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_0041DFE0 | 7_2_0041DFE0 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_0041DFEC | 7_2_0041DFEC |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_00402FB0 | 7_2_00402FB0 |
Source: C:\Users\user\Desktop\PO07262021.exe | Code function: 7_2_006A6507 | 7_2_006A6507 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011F3506 | 15_2_011F3506 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011E6550 | 15_2_011E6550 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011E1969 | 15_2_011E1969 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D7190 | 15_2_011D7190 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011F31DC | 15_2_011F31DC |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011DD803 | 15_2_011DD803 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011DE040 | 15_2_011DE040 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D9CF0 | 15_2_011D9CF0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011F5CEA | 15_2_011F5CEA |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D48E6 | 15_2_011D48E6 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011DCB48 | 15_2_011DCB48 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011E5FC8 | 15_2_011E5FC8 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011F6FF0 | 15_2_011F6FF0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011DFA30 | 15_2_011DFA30 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D5226 | 15_2_011D5226 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D5E70 | 15_2_011D5E70 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_011D8AD7 | 15_2_011D8AD7 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A9EBB0 | 15_2_03A9EBB0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A86E30 | 15_2_03A86E30 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A92581 | 15_2_03A92581 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A7D5E0 | 15_2_03A7D5E0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A60D20 | 15_2_03A60D20 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A84120 | 15_2_03A84120 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A6F900 | 15_2_03A6F900 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03B31D55 | 15_2_03B31D55 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A920A0 | 15_2_03A920A0 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 15_2_03A7B090 | 15_2_03A7B090 |
Source: PO07262021.exe, 00000000.00000000.642212993.00000000006D2000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe |
Source: PO07262021.exe, 00000007.00000002.768168332.000000000143F000.00000040.00000001.sdmp | Binary or memory string: OriginalFilenamentdll.dllj% vs PO07262021.exe |
Source: PO07262021.exe, 00000007.00000002.766354813.0000000000792000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe |
Source: PO07262021.exe, 00000007.00000002.768464422.000000000152D000.00000040.00000001.sdmp | Binary or memory string: OriginalFilenameCmd.Exej% vs PO07262021.exe |
Source: PO07262021.exe | Binary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe |
Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |