{"C2 list": ["www.healingandhealthy.com/i6ro/"], "decoy": ["annahve.xyz", "636851.com", "cngm7e.com", "iloveapple62.com", "zdbhl.com", "becu84ts.com", "buongpuso.com", "qhwl2017.com", "savarsell.com", "anentbottskeen.com", "vyounglighting.com", "executive-air.net", "elaish.com", "ilmarijuanadispensary.com", "online-bolgar18.com", "qubtantoys.com", "tkspoboys.com", "hackensackfitness.com", "bitcointradel.com", "nightcanteen.com", "skillga.com", "luckyfandom.com", "tonghetaiye.com", "victoriajayde.com", "domainsraj.com", "campervan.love", "sumiyoshiku-inoitami.xyz", "gpawidegroup.com", "potserve.com", "sdunifiednursingcollege.com", "nutcrackernoww.com", "australishomes.com", "salonautostock.com", "carbsupplements.com", "zj7aszamjwe3.biz", "bundesfinanzeministerium-de.com", "petips.xyz", "woodstor.com", "common-criteria-isac.com", "kidskarateonline.com", "fisioletsgo.com", "thelukeliu.com", "boxedwallconsepts.net", "nvgso.com", "hanssuter.com", "proceam.com", "sehatherba.online", "goldenconcept.art", "zaar.solutions", "turmoilgomkww.xyz", "subritulandoando.com", "rashil.digital", "airlesscondimentdispenser.com", "eygtogel021.com", "freeadakahamazon.com", "sahumeriosartesanales.com", "tackle.tools", "sharifulmer.online", "rushpcbtest.info", "epilepsycolorado.online", "birdy3000.com", "aracsozluk.com", "air-watches.com", "xiexingyu.top"]}
Source: Yara match | File source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY |
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp | String found in binary or memory: http://computername/printers/printername/.printer |
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com |
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com/ |
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp | String found in binary or memory: http://java.sun.com |
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XML.asp |
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: explorer.exe, 00000006.00000000.551082192.0000000003E50000.00000002.00020000.sdmp | String found in binary or memory: http://servername/isapibackend.dll |
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp | String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp | String found in binary or memory: http://treyresearch.net |
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp | String found in binary or memory: http://wellformedweb.org/CommentAPI/ |
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp | String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmp | String found in binary or memory: http://www.%s.comPA |
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp | String found in binary or memory: http://www.autoitscript.com/autoit3 |
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp | String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww |
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp | String found in binary or memory: http://www.hotmail.com/oe |
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp | String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp | String found in binary or memory: http://www.iis.fhg.de/audioPA |
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp | String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: explorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.499989252.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551993194.0000000004513000.00000004.00000001.sdmp | String found in binary or memory: http://www.piriform.com/ccleaner |
Source: explorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp | String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv |
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp | String found in binary or memory: http://www.windows.com/pctv. |
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp | String found in binary or memory: https://support.mozilla.org |
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp | String found in binary or memory: https://www.mozilla.org |
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp | String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes |
Source: Yara match | File source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY |
Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_00356226 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_00354368 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_00356C00 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_00356479 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_00356720 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_00354968 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_00358990 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_00358980 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_009E11AB |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041C001 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00401030 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041B8C3 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041C948 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00408C80 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041BD22 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00402D8A |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00402D90 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00402FB0 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0085E0C6 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0088D005 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00863040 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0087905A |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008DD06D |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0085E2E9 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00901238 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_009063BF |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0085F3CF |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008863DB |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00862305 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00867353 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008AA37B |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00895485 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00871489 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008E443E |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0089D47D |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008E05E3 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0087C5F0 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0086351F |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008A6540 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00864680 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0086E6C1 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00902622 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008AA634 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008E579A |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0086C7BC |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008957C3 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008DF8C4 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008FF8EE |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0086C85C |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0088286D |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0090098E |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008629B2 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008769FE |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008E394B |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008E5955 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00913A83 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0090CBA4 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008E6BCB |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0085FBD7 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008EDBDA |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00887B00 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008FFDDD |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025D1238 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0252E2E9 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02537353 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0257A37B |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02532305 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025563DB |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0252F3CF |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025D63BF |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0254905A |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02533040 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0255D005 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0252E0C6 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0257A634 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025D2622 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0253E6C1 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02534680 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025657C3 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025B579A |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0253C7BC |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0256D47D |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025B443E |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02565485 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02541489 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02576540 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0253351F |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0254C5F0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025E3A83 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02557B00 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025BDBDA |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0252FBD7 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025DCBA4 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0253C85C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0255286D |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025CF8EE |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025B5955 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025B394B |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025469FE |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025D098E |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025329B2 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0254EE4C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02562E2F |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0255DF7C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02540F3F |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025A2FDC |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025CCFB1 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0253CD5B |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02560D3B |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025CFDDD |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000FC948 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000E8C80 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000E2D8A |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000E2D90 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000E2FB0 |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_004185E0 NtCreateFile, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00418690 NtReadFile, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00418710 NtClose, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_004187C0 NtAllocateVirtualMemory, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_004185DA NtCreateFile, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041870B NtClose, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008500C4 NtCreateFile,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00850048 NtProtectVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00850078 NtResumeThread,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008507AC NtCreateMutant,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084F9F0 NtClose,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084F900 NtReadFile,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FC90 NtUnmapViewOfSection,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FD8C NtDelayExecution,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FEA0 NtReadVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FFB4 NtCreateSection,LdrInitializeThunk, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008510D0 NtOpenProcessToken, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00850060 NtQuerySection, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_008501D4 NtSetValueKey, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0085010C NtOpenDirectoryObject, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00851148 NtOpenThread, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084F8CC NtWaitForSingleObject, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00851930 NtSetContextThread, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084F938 NtWriteFile, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FAB8 NtQueryValueKey, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FA20 NtQueryInformationFile, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FA50 NtEnumerateValueKey, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FBE8 NtQueryVirtualMemory, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FB50 NtCreateKey, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FC30 NtOpenProcess, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00850C40 NtGetContextThread, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0084FC48 NtSetInformationFile, |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00851D80 NtSuspendThread, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025200C4 NtCreateFile,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025207AC NtCreateMutant,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FAE8 NtQueryInformationProcess,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FAB8 NtQueryValueKey,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FB50 NtCreateKey,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FB68 NtFreeVirtualMemory,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FBB8 NtQueryInformationToken,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251F900 NtReadFile,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251F9F0 NtClose,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FFB4 NtCreateSection,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FC60 NtMapViewOfSection,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FDC0 NtQuerySystemInformation,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FD8C NtDelayExecution,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02520048 NtProtectVirtualMemory, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02520078 NtResumeThread, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02520060 NtQuerySection, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025210D0 NtOpenProcessToken, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02521148 NtOpenThread, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0252010C NtOpenDirectoryObject, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_025201D4 NtSetValueKey, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FA50 NtEnumerateValueKey, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FA20 NtQueryInformationFile, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FBE8 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251F8CC NtWaitForSingleObject, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02521930 NtSetContextThread, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251F938 NtWriteFile, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FE24 NtWriteVirtualMemory, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FEA0 NtReadVirtualMemory, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FF34 NtQueueApcThread, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FFFC NtCreateProcessEx, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02520C40 NtGetContextThread, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FC48 NtSetInformationFile, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FC30 NtOpenProcess, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FC90 NtUnmapViewOfSection, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0251FD5C NtEnumerateKey, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_02521D80 NtSuspendThread, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F85E0 NtCreateFile, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F8690 NtReadFile, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F8710 NtClose, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F87C0 NtAllocateVirtualMemory, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F85DA NtCreateFile, |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F870B NtClose, |
Source: i4L[1].exe.2.dr, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: Pcportk28.exe.2.dr, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.2.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.0.Pcportk28.exe.10e0000.3.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.0.Pcportk28.exe.10e0000.10.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.0.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.0.Pcportk28.exe.10e0000.4.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.0.Pcportk28.exe.10e0000.2.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.2.Pcportk28.exe.10e0000.5.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.0.Pcportk28.exe.10e0000.6.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 5.0.Pcportk28.exe.10e0000.8.unpack, sb/gq.cs | .Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: i4L[1].exe.2.dr, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: Pcportk28.exe.2.dr, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 4.2.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 4.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.0.Pcportk28.exe.10e0000.3.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.0.Pcportk28.exe.10e0000.10.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.0.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.0.Pcportk28.exe.10e0000.4.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.0.Pcportk28.exe.10e0000.2.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.2.Pcportk28.exe.10e0000.5.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.0.Pcportk28.exe.10e0000.6.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: 5.0.Pcportk28.exe.10e0000.8.unpack, sb/gq.cs | .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null) |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_010E9A2A push es; retf |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_010E9767 push 3A000004h; retf 0000h |
Source: C:\Users\Public\Pcportk28.exe | Code function: 4_2_010EA0FF push es; iretd |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041B822 push eax; ret |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041B82B push eax; ret |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041B88C push eax; ret |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_004153E0 push es; retf |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00415C4E push ebp; ret |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041CD74 push eax; ret |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_00414EAF pushad ; ret |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041CF70 pushad ; ret |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_0041B7D5 push eax; ret |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_010EA0FF push es; iretd |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_010E9A2A push es; retf |
Source: C:\Users\Public\Pcportk28.exe | Code function: 5_2_010E9767 push 3A000004h; retf 0000h |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_0252DFA1 push ecx; ret |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F53E0 push es; retf |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000FB7D5 push eax; ret |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000FB82B push eax; ret |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000FB822 push eax; ret |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000FB88C push eax; ret |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F5C4E push ebp; ret |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000FCD74 push eax; ret |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000F4EAF pushad ; ret |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 7_2_000FCF70 pushad ; ret |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\Public\Pcportk28.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\wininit.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath " |
Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmp | Binary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7 |
Source: Pcportk28.exe, 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp | Binary or memory string: +Qemu |
Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmp | Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000 |
Source: explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp | Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp | Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmp | Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0 |
Source: explorer.exe, 00000006.00000000.487654318.000000000029B000.00000004.00000020.sdmp | Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N |
Source: explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp | Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp | Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools |
Source: Yara match | File source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY |