{"C2 list": ["www.129qihu.com/c6si/"], "decoy": ["tristateinc.construction", "americanscaregroundstexas.com", "kanimisoshiru.com", "wihling.com", "fishcheekstosa.com", "parentsfuid.com", "greenstandmarket.com", "fc8fla8kzq.com", "gametwist-83.club", "jobsncvs.com", "directrealtysells.com", "avida2015.com", "conceptasite.net", "arkaneattire.com", "indev-mobility.info", "2160centurypark412.com", "valefloor.com", "septembership.com", "stackflix.com", "jimc0sales.net", "socialviralup.com", "lastra41.com", "juliaepaulovaocasar.com", "jurisagora.com", "drawandgrow.online", "rebekahlouise.com", "herport-fr.com", "iphone13.webcam", "appz-one.net", "inpost-pl.net", "promocion360fitness.com", "global-forbes.biz", "diamondtrade.net", "albertcantos.com", "gtgits.com", "travel-ai.online", "busipe6.com", "mualikesubvn.com", "niftyhandy.com", "docprops.com", "lido88.bet", "baywoodphotography.com", "cargosouq.info", "newsnowlive.online", "floridafishingoverboard.com", "missnikissalsa.net", "walletvalidate.space", "kissimmeeinternationalcup.com", "charterhome.school", "gurujupiter.com", "entertainmentwitchy.com", "jokeaou.com", "sugarmountainfirearms.com", "iss-sa.com", "smittyssierra.com", "freedomoff.com", "giftoin.com", "realitystararmwrestling.com", "salsalunch-equallyage.com", "ladouba.com", "thepropertygoat.com", "bestofmerrick.guide", "4the.top", "regioinversiones.com"]}
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.129qihu.com/c6si/"], "decoy": ["tristateinc.construction", "americanscaregroundstexas.com", "kanimisoshiru.com", "wihling.com", "fishcheekstosa.com", "parentsfuid.com", "greenstandmarket.com", "fc8fla8kzq.com", "gametwist-83.club", "jobsncvs.com", "directrealtysells.com", "avida2015.com", "conceptasite.net", "arkaneattire.com", "indev-mobility.info", "2160centurypark412.com", "valefloor.com", "septembership.com", "stackflix.com", "jimc0sales.net", "socialviralup.com", "lastra41.com", "juliaepaulovaocasar.com", "jurisagora.com", "drawandgrow.online", "rebekahlouise.com", "herport-fr.com", "iphone13.webcam", "appz-one.net", "inpost-pl.net", "promocion360fitness.com", "global-forbes.biz", "diamondtrade.net", "albertcantos.com", "gtgits.com", "travel-ai.online", "busipe6.com", "mualikesubvn.com", "niftyhandy.com", "docprops.com", "lido88.bet", "baywoodphotography.com", "cargosouq.info", "newsnowlive.online", "floridafishingoverboard.com", "missnikissalsa.net", "walletvalidate.space", "kissimmeeinternationalcup.com", "charterhome.school", "gurujupiter.com", "entertainmentwitchy.com", "jokeaou.com", "sugarmountainfirearms.com", "iss-sa.com", "smittyssierra.com", "freedomoff.com", "giftoin.com", "realitystararmwrestling.com", "salsalunch-equallyage.com", "ladouba.com", "thepropertygoat.com", "bestofmerrick.guide", "4the.top", "regioinversiones.com"]} |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\IMG-000284794.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: Amcache.hve.19.dr | Binary or memory string: VMware |
Source: Amcache.hve.19.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.19.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.19.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.19.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.19.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.19.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.19.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.19.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.19.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.19.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.19.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.19.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.19.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.19.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.19.dr | Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71 |
Source: Amcache.hve.19.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY |