00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000003.498505335.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.498480365.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.565073378.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000008.00000003.565679840.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.498627216.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588564983.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x32cd0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x3305a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x3ed6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x3e859:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x3ee6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x3efe7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x33a72:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x3dad4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x347ea:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x4425f:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x45312:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x41191:$sqlite3step: 68 34 1C 7B E1
- 0x412a4:$sqlite3step: 68 34 1C 7B E1
- 0x411c0:$sqlite3text: 68 38 2A 90 C5
- 0x412e5:$sqlite3text: 68 38 2A 90 C5
- 0x411d3:$sqlite3blob: 68 53 D8 7F 8C
- 0x412fb:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.588126227.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000003.544671819.0000000001D1C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.498862779.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588811679.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.498678238.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.498733473.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.498702228.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000008.00000003.566149960.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.499081550.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588856933.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.566665565.0000000001DA0000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000003.565115877.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000002.525659304.0000000001E8C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.499010523.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.565865181.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000008.00000003.565257536.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.498814770.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.589154699.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.498598880.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.566085923.0000000001DA4000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000003.544180474.0000000001D1C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000003.565980818.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.566289908.0000000001DA0000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.482158842.0000000001EA0000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.566501613.0000000001DA4000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000002.603310457.0000000001D2C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000003.566198951.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000003.480503780.0000000001E7C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.589598221.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.566202052.0000000001D8C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000003.479950965.0000000001E7C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.566715665.0000000001D7C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.498651349.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000008.00000003.565719337.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.544264946.0000000001D2C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.499260635.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.480681894.0000000001E8C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.589004942.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588625947.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.588510605.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000008.00000003.566332396.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.499284882.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.590084354.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.565331288.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x32cd0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x3305a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x3ed6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x3e859:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x3ee6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x3efe7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x33a72:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x3dad4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x347ea:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x4425f:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x45312:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x41191:$sqlite3step: 68 34 1C 7B E1
- 0x412a4:$sqlite3step: 68 34 1C 7B E1
- 0x411c0:$sqlite3text: 68 38 2A 90 C5
- 0x412e5:$sqlite3text: 68 38 2A 90 C5
- 0x411d3:$sqlite3blob: 68 53 D8 7F 8C
- 0x412fb:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7b9c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7f26:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x309ac:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x30d36:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x13c39:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x3ca49:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x13725:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x3c535:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x13d3b:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x3cb4b:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x13eb3:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x3ccc3:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x893e:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x3174e:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x129a0:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x3b7b0:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x96b6:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x324c6:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1912b:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x41f3b:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1a1de:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x1605d:$sqlite3step: 68 34 1C 7B E1
- 0x16170:$sqlite3step: 68 34 1C 7B E1
- 0x3ee6d:$sqlite3step: 68 34 1C 7B E1
- 0x3ef80:$sqlite3step: 68 34 1C 7B E1
- 0x1608c:$sqlite3text: 68 38 2A 90 C5
- 0x161b1:$sqlite3text: 68 38 2A 90 C5
- 0x3ee9c:$sqlite3text: 68 38 2A 90 C5
- 0x3efc1:$sqlite3text: 68 38 2A 90 C5
- 0x1609f:$sqlite3blob: 68 53 D8 7F 8C
- 0x161c7:$sqlite3blob: 68 53 D8 7F 8C
- 0x3eeaf:$sqlite3blob: 68 53 D8 7F 8C
- 0x3efd7:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.588264614.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000003.565525257.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.589996765.0000000004064000.00000004.00000010.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8614:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x899e:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146b1:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x1419d:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147b3:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1492b:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93b6:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x13418:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa12e:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19ba3:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac56:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ad5:$sqlite3step: 68 34 1C 7B E1
- 0x16be8:$sqlite3step: 68 34 1C 7B E1
- 0x16b04:$sqlite3text: 68 38 2A 90 C5
- 0x16c29:$sqlite3text: 68 38 2A 90 C5
- 0x16b17:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c3f:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.566148762.0000000001D7C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000003.566048589.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.544497330.0000000001D1C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x15ac9:$sqlite3step: 68 34 1C 7B E1
- 0x15bdc:$sqlite3step: 68 34 1C 7B E1
- 0x15af8:$sqlite3text: 68 38 2A 90 C5
- 0x15c1d:$sqlite3text: 68 38 2A 90 C5
- 0x15b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x15c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.589071961.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.498894184.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.566552143.0000000001D7C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.589736597.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588471940.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.566256167.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588426706.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000008.00000003.565630232.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.544614514.0000000001D40000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000003.564962472.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x15ac9:$sqlite3step: 68 34 1C 7B E1
- 0x15bdc:$sqlite3step: 68 34 1C 7B E1
- 0x15af8:$sqlite3text: 68 38 2A 90 C5
- 0x15c1d:$sqlite3text: 68 38 2A 90 C5
- 0x15b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x15c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000003.480350918.0000000001E8C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.499111193.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588316167.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000003.565804356.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.565037142.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000003.589431920.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.498529438.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.565767361.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.499217073.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.565155619.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.498552553.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000003.565919206.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.544308555.0000000001D40000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x15ac9:$sqlite3step: 68 34 1C 7B E1
- 0x15bdc:$sqlite3step: 68 34 1C 7B E1
- 0x15af8:$sqlite3text: 68 38 2A 90 C5
- 0x15c1d:$sqlite3text: 68 38 2A 90 C5
- 0x15b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x15c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000003.544544050.0000000001D30000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.566595226.0000000001D90000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.498960821.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000003.589253490.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.481290433.0000000001E7C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x6ac9:$sqlite3step: 68 34 1C 7B E1
- 0x6bdc:$sqlite3step: 68 34 1C 7B E1
- 0x6af8:$sqlite3text: 68 38 2A 90 C5
- 0x6c1d:$sqlite3text: 68 38 2A 90 C5
- 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.588930070.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.544115744.0000000001D44000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.588694775.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.544390642.0000000001D2C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.482088353.0000000001E90000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000003.482210070.0000000001E7C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.479891596.0000000001EA4000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000002.642465080.0000000001D8C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000004.00000003.499152325.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8614:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x899e:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146b1:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x1419d:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147b3:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1492b:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93b6:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x13418:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa12e:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19ba3:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac56:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ad5:$sqlite3step: 68 34 1C 7B E1
- 0x16be8:$sqlite3step: 68 34 1C 7B E1
- 0x16b04:$sqlite3text: 68 38 2A 90 C5
- 0x16c29:$sqlite3text: 68 38 2A 90 C5
- 0x16b17:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c3f:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000003.565204523.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000003.499053483.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588167672.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.498574791.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.565378996.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x6ac9:$sqlite3step: 68 34 1C 7B E1
- 0x6bdc:$sqlite3step: 68 34 1C 7B E1
- 0x6af8:$sqlite3text: 68 38 2A 90 C5
- 0x6c1d:$sqlite3text: 68 38 2A 90 C5
- 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000008.00000003.566095697.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.498790069.00000000039CC000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.498758895.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000003.480431968.0000000001EA0000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000003.544431863.0000000001D44000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000003.566398254.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.544350421.0000000001D1C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.566373519.0000000001D7C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.566438198.0000000001D8C000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
00000008.00000003.565435086.000000000389C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000008.00000003.565008941.00000000044C4000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000003.481026953.0000000001EA4000.00000004.00000001.sdmp | JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | |
0000000B.00000003.588386407.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588750010.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.588055915.0000000003A4C000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x19a8:$file: URL=
- 0x198c:$url_explicit: [InternetShortcut]
|
00000004.00000003.499194499.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x16ac9:$sqlite3step: 68 34 1C 7B E1
- 0x16bdc:$sqlite3step: 68 34 1C 7B E1
- 0x16af8:$sqlite3text: 68 38 2A 90 C5
- 0x16c1d:$sqlite3text: 68 38 2A 90 C5
- 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000B.00000003.588226799.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
00000004.00000003.498986637.0000000004204000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
0000000B.00000003.589349293.0000000004724000.00000004.00000001.sdmp | Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) | - 0x1cf4:$file: URL=
- 0x1cd8:$url_explicit: [InternetShortcut]
|
Click to see the 211 entries |