{"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]} |
Source: Yara match | File source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY |
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_0040604C |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_00404772 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F726571 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B961 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72676B |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72876F |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F729157 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F728D58 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72BB37 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F726135 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B138 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B323 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72BB16 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F729317 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F728F1D |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B10A |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72AFE0 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F721FE4 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B5D9 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7293DD |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7251C0 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7287C6 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72ABC6 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72C3C6 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B9CE |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72ADB0 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7275B4 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7261BC |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F728FAC |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7275AD |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F729392 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B597 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72BC7C |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F729063 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72AE52 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F724E5D |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F728A4D |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72BC38 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F727A21 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F728E12 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F729210 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B80A |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72AE0B |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7276F0 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F721AFB |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72AEF9 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B6EB |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F728ED1 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7292C2 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72BAC8 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B6B2 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F738CB2 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F727EB8 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72B0BC |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F727AA0 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F7268A4 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72AEAF |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F72BA98 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F729081 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_6F729488 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00401026 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00401030 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041E261 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041EB71 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041E3DA |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041E4B4 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00402D90 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00409E4B |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00409E50 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041EEB5 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041D7DE |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041E79A |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00402FB0 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A620A0 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00B020A8 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A4B090 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00B028EC |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00B0E824 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AF1002 |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041A350 NtCreateFile, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041A400 NtReadFile, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041A480 NtClose, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041A530 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041A34A NtCreateFile, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041A3FB NtReadFile, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_0041A47B NtClose, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A795D0 NtClose,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79540 NtReadFile,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A798A0 NtWriteVirtualMemory, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A79820 NtEnumerateKey, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A7B040 NtSuspendThread, |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: explorer.exe, 00000005.00000000.372908410.0000000008430000.00000004.00000001.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00dRom0 |
Source: explorer.exe, 00000013.00000003.517490508.0000000006855000.00000004.00000001.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}p |
Source: explorer.exe, 00000013.00000003.517490508.0000000006855000.00000004.00000001.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000005.00000000.406717095.00000000062E0000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000005.00000000.373318583.0000000008552000.00000004.00000001.sdmp | Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8 |
Source: explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 00000005.00000000.406717095.00000000062E0000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000005.00000000.413960786.00000000082E2000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}> |
Source: explorer.exe, 00000005.00000000.413960786.00000000082E2000.00000004.00000001.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 00000005.00000000.372908410.0000000008430000.00000004.00000001.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-; |
Source: explorer.exe, 00000005.00000000.381242617.000000000095C000.00000004.00000020.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_0019EA3A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_0019EA78 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_0019E736 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_0019E94A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 0_2_0019E9FB mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A790AF mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6F0BF mov ecx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A39080 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A358EC mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00B01074 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AF2073 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB69A6 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A6A185 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A5C182 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A62990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe | Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] |
Source: explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.406037700.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.395139269.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.414148173.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.402294707.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.362547882.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.381122530.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000003.514189863.0000000004C64000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.521230324.00000000010B8000.00000004.00000020.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000003.512147247.0000000004C7B000.00000004.00000001.sdmp | Binary or memory string: Progman |
Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp | Binary or memory string: &Program Manager |
Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: Yara match | File source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY |