Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp |
Malware Configuration Extractor: FormBook {"C2 list": ["www.llaa11.xyz/scb0/"], "decoy": ["austinsv.net", "nothernballet.com", "mycoursey.com", "exodiduis.com", "frankserranolaw.com", "dingyiemail.com", "woodstocktimbersandbeams.com", "somphones.com", "goalcations.com", "boraeresici.com", "spiegelverwarming.store", "8676789.rest", "tametaverse.com", "suppliesdevon.com", "sergiofisheronmcl.com", "reevophilippines.com", "oemlift.com", "helloworld.agency", "klaydoge.com", "cristinadiasoficial.com", "rentalsbox.com", "mydigbook.icu", "karamanescortbayan.xyz", "pyxis.digital", "kak-izbavitsya.xyz", "brakepad114.com", "scribr.net", "accountable-measures.com", "tj5288.com", "profit-fx.com", "melomis.com", "afroditas.online", "mvptcodesupport.com", "immerseinagro.com", "mustibayankuaforu.com", "ticketpremiado.com", "xxxpornmodels.com", "regalosyartesania.com", "imaginariss.com", "blockart.digital", "cn363.com", "titanpestsolutions.com", "laceswap.store", "individucars.com", "ysgo.club", "wpzone.online", "fromtotravel.com", "hbpartyrentals.com", "tectonicvi.com", "gaia32.com", "tubesn.com", "c7performance.com", "andysmittkamp.com", "wildcatsclan.net", "arbiafashion.com", "ivonnedekeizer.com", "kmarket.club", "deployinghigh.com", "sasanos.com", "rick078.xyz", "shahroodisales.com", "chillrn.com", "xn--2ckzf.com", "14ideedumois.com"]} |
Source: Yara match |
File source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdbo1 source: WerFault.exe, 0000000F.00000003.409099360.00000000057F1000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.406022334.0000000003708000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.489730419.0000000004E5F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.514625482.000000000491E000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.406017453.0000000003702000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.406276057.000000000370E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdb{ source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.406276057.000000000370E000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.406022334.0000000003708000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb> source: WerFault.exe, 00000022.00000003.523781598.0000000004D01000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdbk source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: mobsync.pdb source: WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp |
Source: |
Binary string: secinit.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: cryptbase.pdbk source: WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.406017453.0000000003702000.00000004.00000001.sdmp |
Source: Yara match |
File source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\Public\Libraries\zxdpbyQ.url, type: DROPPED |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50481030 |
5_2_50481030 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049C086 |
5_2_5049C086 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049C988 |
5_2_5049C988 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50481209 |
5_2_50481209 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049BB80 |
5_2_5049BB80 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50488C6B |
5_2_50488C6B |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50488C70 |
5_2_50488C70 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50482D87 |
5_2_50482D87 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50482D90 |
5_2_50482D90 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50482FB0 |
5_2_50482FB0 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50481030 |
27_2_50481030 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049C086 |
27_2_5049C086 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049C988 |
27_2_5049C988 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50481209 |
27_2_50481209 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049BB80 |
27_2_5049BB80 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50488C6B |
27_2_50488C6B |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50488C70 |
27_2_50488C70 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50482D87 |
27_2_50482D87 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50482D90 |
27_2_50482D90 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50482FB0 |
27_2_50482FB0 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_50481030 |
32_2_50481030 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_5049C086 |
32_2_5049C086 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_5049C988 |
32_2_5049C988 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_50481209 |
32_2_50481209 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_5049BB80 |
32_2_5049BB80 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_50488C6B |
32_2_50488C6B |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_50488C70 |
32_2_50488C70 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_50482D87 |
32_2_50482D87 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_50482D90 |
32_2_50482D90 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_50482FB0 |
32_2_50482FB0 |
Source: unknown |
Process created: C:\Users\user\Desktop\fTset285bI.exe 'C:\Users\user\Desktop\fTset285bI.exe' |
|
Source: C:\Users\user\Desktop\fTset285bI.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
|
Source: C:\Users\user\Desktop\fTset285bI.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\fTset285bI.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\secinit.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 240 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
|
Source: C:\Windows\SysWOW64\reg.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe 'C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe' |
|
Source: unknown |
Process created: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe 'C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe' |
|
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
|
Source: C:\Windows\SysWOW64\mobsync.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 484 |
|
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
|
Source: C:\Windows\SysWOW64\secinit.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 236 |
|
Source: C:\Users\user\Desktop\fTset285bI.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6840 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1312 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4788 |
Source: C:\Users\user\Desktop\fTset285bI.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdbo1 source: WerFault.exe, 0000000F.00000003.409099360.00000000057F1000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.406022334.0000000003708000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.489730419.0000000004E5F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.514625482.000000000491E000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.406017453.0000000003702000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.406276057.000000000370E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdb{ source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.406276057.000000000370E000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.406022334.0000000003708000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb> source: WerFault.exe, 00000022.00000003.523781598.0000000004D01000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdbk source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp |
Source: |
Binary string: mobsync.pdb source: WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp |
Source: |
Binary string: secinit.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp |
Source: |
Binary string: cryptbase.pdbk source: WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.406017453.0000000003702000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049B86C push eax; ret |
5_2_5049B872 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049B80B push eax; ret |
5_2_5049B872 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049B802 push eax; ret |
5_2_5049B808 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049510E push ecx; iretd |
5_2_50495114 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049513F push ebp; retf |
5_2_50495144 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50496230 push eax; retf |
5_2_50496237 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5048C37D pushad ; retf |
5_2_5048C34C |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5048C332 pushad ; retf |
5_2_5048C34C |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50495D7E push edx; retf |
5_2_50495D81 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50494DD5 push edx; iretd |
5_2_50494DD7 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_50494E85 push 93A712F1h; ret |
5_2_50494E8E |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5048E723 push ebp; retf |
5_2_5048E72D |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 5_2_5049B7B5 push eax; ret |
5_2_5049B808 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049B86C push eax; ret |
27_2_5049B872 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049B80B push eax; ret |
27_2_5049B872 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049B802 push eax; ret |
27_2_5049B808 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049510E push ecx; iretd |
27_2_50495114 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049513F push ebp; retf |
27_2_50495144 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50496230 push eax; retf |
27_2_50496237 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5048C37D pushad ; retf |
27_2_5048C34C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5048C332 pushad ; retf |
27_2_5048C34C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50495D7E push edx; retf |
27_2_50495D81 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50494DD5 push edx; iretd |
27_2_50494DD7 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_50494E85 push 93A712F1h; ret |
27_2_50494E8E |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5048E723 push ebp; retf |
27_2_5048E72D |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 27_2_5049B7B5 push eax; ret |
27_2_5049B808 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_5049B86C push eax; ret |
32_2_5049B872 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_5049B80B push eax; ret |
32_2_5049B872 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_5049B802 push eax; ret |
32_2_5049B808 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_5049510E push ecx; iretd |
32_2_50495114 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 32_2_5049513F push ebp; retf |
32_2_50495144 |
Source: fTset285bI.exe |
Static PE information: section name: ..... |
Source: fTset285bI.exe |
Static PE information: section name: ...... |
Source: fTset285bI.exe |
Static PE information: section name: ..... |
Source: fTset285bI.exe |
Static PE information: section name: .... |
Source: fTset285bI.exe |
Static PE information: section name: ...... |
Source: fTset285bI.exe |
Static PE information: section name: .... |
Source: fTset285bI.exe |
Static PE information: section name: ...... |
Source: fTset285bI.exe |
Static PE information: section name: ...... |
Source: fTset285bI.exe |
Static PE information: section name: ..... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: ..... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: ...... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: ..... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: .... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: ...... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: .... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: ...... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: ...... |
Source: Qybpdxz.exe.0.dr |
Static PE information: section name: ..... |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 2E20000 |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 2E30000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 660000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 670000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 2F30000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 2F40000 |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2E20000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\fTset285bI.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2E30000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 660000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 670000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F30000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F40000 protect: page execute and read and write |
Jump to behavior |
Source: Yara match |
File source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY |