00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000002.00000002.959380851.0000015595548000.00000004.00000020.00020000.00000000.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x7cf3:$asp_much_sus15: AntiVirus
- 0x3c48:$tagasp_short1: <%\xB7
- 0x5aa6:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
- 0x7c03:$asp_xml_http: Microsoft.XMLHTTP
- 0x83be:$asp_xml_method2: POST
- 0x194:$asp_text1: .text
- 0x7f99:$asp_payload2: eval(
- 0x8258:$asp_payload2: eval(
- 0x7bc2:$asp_payload11: WScript.Shell
- 0x7f73:$asp_multi_payload_one3: .run
- 0x807f:$asp_multi_payload_one3: .run
- 0x816f:$asp_multi_payload_one3: .run
- 0x82fa:$asp_multi_payload_one3: .run
- 0x7f55:$asp_always_write1: .Write
- 0x8063:$asp_always_write1: .Write
- 0x8152:$asp_always_write1: .Write
- 0x82dc:$asp_always_write1: .Write
- 0x7f39:$asp_write_way_one3: CreateTextFile
- 0x8106:$asp_write_way_one3: CreateTextFile
- 0x82c0:$asp_write_way_one3: CreateTextFile
- 0x5aa6:$tagasp_capa_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
|
00000002.00000002.959380851.0000015595548000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x8819:$sqlite3step: 68 34 1C 7B E1
- 0x892c:$sqlite3step: 68 34 1C 7B E1
- 0x8848:$sqlite3text: 68 38 2A 90 C5
- 0x896d:$sqlite3text: 68 38 2A 90 C5
- 0x885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x8983:$sqlite3blob: 68 53 D8 7F 8C
|
00000009.00000002.964474352.000002A0FC393000.00000004.00000020.00020000.00000000.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x15d20:$asp_much_sus15: AntiVirus
- 0x1f0c2:$asp_much_sus15: AntiVirus
- 0x4f46:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
- 0x25b6:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
- 0x330e:$asp_xml_http: Microsoft.XMLHTTP
- 0x4284:$asp_xml_method2: POST
- 0x3a3a:$asp_payload2: eval(
- 0x3fb8:$asp_payload2: eval(
- 0x328c:$asp_payload11: WScript.Shell
- 0x39ee:$asp_multi_payload_one3: .run
- 0x3c06:$asp_multi_payload_one3: .run
- 0x3de6:$asp_multi_payload_one3: .run
- 0x40fc:$asp_multi_payload_one3: .run
- 0x39b2:$asp_always_write1: .Write
- 0x3bce:$asp_always_write1: .Write
- 0x3dac:$asp_always_write1: .Write
- 0x40c0:$asp_always_write1: .Write
- 0x397a:$asp_write_way_one3: CreateTextFile
- 0x3d14:$asp_write_way_one3: CreateTextFile
- 0x4088:$asp_write_way_one3: CreateTextFile
- 0x4f46:$tagasp_capa_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
|
00000009.00000002.964474352.000002A0FC393000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.440159871.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xc:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x1c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x2c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x3c:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x5c:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x7c:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0xb0:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0xc0:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0xd0:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x154:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x164:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x238:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x248:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x2b4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x2d4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x2e4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x2f4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x304:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x314:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
- 0x324:$x1: 78 34 4E 6A 52 63 65 44 59 79 58 48 67
- 0x334:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67
|
00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
|
00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x9578:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x9912:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x16761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x16f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0xa32a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x159dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb0a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1c307:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1d40a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x19189:$sqlite3step: 68 34 1C 7B E1
- 0x1929c:$sqlite3step: 68 34 1C 7B E1
- 0x191b8:$sqlite3text: 68 38 2A 90 C5
- 0x192dd:$sqlite3text: 68 38 2A 90 C5
- 0x191cb:$sqlite3blob: 68 53 D8 7F 8C
- 0x192f3:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.438650051.000001C6B5E12000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x29d0:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x29e0:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x300c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x301c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x302c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x303c:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x305c:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x307c:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x30b0:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x30c0:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x30d0:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x3154:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x3164:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x3238:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x3248:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x32b4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x32d4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x32e4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x32f4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x3304:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x3314:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
|
00000000.00000002.454868060.000001C6B5DA0000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x5940:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x5950:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x5f7c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x5f8c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x5f9c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x5fac:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x5fcc:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x5fec:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
|
00000007.00000002.961147065.0000019173A2A000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x91d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x956a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x1690d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x163b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16a0f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x16b87:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x9f82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x15634:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xacfa:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1bf5f:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1d062:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18de1:$sqlite3step: 68 34 1C 7B E1
- 0x18ef4:$sqlite3step: 68 34 1C 7B E1
- 0x18e10:$sqlite3text: 68 38 2A 90 C5
- 0x18f35:$sqlite3text: 68 38 2A 90 C5
- 0x18e23:$sqlite3blob: 68 53 D8 7F 8C
- 0x18f4b:$sqlite3blob: 68 53 D8 7F 8C
|
00000005.00000002.964554613.000002CA0370B000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7858:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7bf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xb3b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x1bcd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xb4b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xb62f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x860a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1af4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9592:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x15247:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xdd1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x1c909:$sqlite3step: 68 34 1C 7B E1
- 0x1ca1c:$sqlite3step: 68 34 1C 7B E1
- 0x1c938:$sqlite3text: 68 38 2A 90 C5
- 0x1ca5d:$sqlite3text: 68 38 2A 90 C5
- 0x1c94b:$sqlite3blob: 68 53 D8 7F 8C
- 0x1ca73:$sqlite3blob: 68 53 D8 7F 8C
|
00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000002.00000002.961594354.000001559722F000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x20:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x30:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x40:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0xc4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0xd4:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x1a8:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x1b8:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x224:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x244:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x254:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x264:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x274:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x284:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
- 0x294:$x1: 78 34 4E 6A 52 63 65 44 59 79 58 48 67
- 0x2a4:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67
- 0x2b4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x4b8:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
- 0x620:$x1: 78 34 4E 6A 68 63 65 44 59 78 58 48 67
- 0x630:$x1: 78 34 4E 54 4E 63 65 44 59 31 58 48 67
- 0x648:$x1: 78 34 4E 7A 56 63 65 44 63 7A 58 48 67
- 0x658:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x772c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x77662:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x84a05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x844b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x84b07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x84c7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x7807a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x8372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x78df2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x8a057:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x8b15a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x86ed9:$sqlite3step: 68 34 1C 7B E1
- 0x86fec:$sqlite3step: 68 34 1C 7B E1
- 0x86f08:$sqlite3text: 68 38 2A 90 C5
- 0x8702d:$sqlite3text: 68 38 2A 90 C5
- 0x86f1b:$sqlite3blob: 68 53 D8 7F 8C
- 0x87043:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x8819:$sqlite3step: 68 34 1C 7B E1
- 0x892c:$sqlite3step: 68 34 1C 7B E1
- 0x8848:$sqlite3text: 68 38 2A 90 C5
- 0x896d:$sqlite3text: 68 38 2A 90 C5
- 0x885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x8983:$sqlite3blob: 68 53 D8 7F 8C
|
00000009.00000003.512701190.000002A0FE195000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8b48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8ee2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15d31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x164ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x98fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x14fac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa672:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b8d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1c9da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18759:$sqlite3step: 68 34 1C 7B E1
- 0x1886c:$sqlite3step: 68 34 1C 7B E1
- 0x18788:$sqlite3text: 68 38 2A 90 C5
- 0x188ad:$sqlite3text: 68 38 2A 90 C5
- 0x1879b:$sqlite3blob: 68 53 D8 7F 8C
- 0x188c3:$sqlite3blob: 68 53 D8 7F 8C
|
00000007.00000002.961930563.0000019175726000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000005.00000002.990991085.000002CA0506D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.439308251.000001C6B5DA0000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x5940:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x5950:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x5f7c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x5f8c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x5f9c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x5fac:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x5fcc:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x5fec:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x6020:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x6030:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x6040:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x60c4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x60d4:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x61a8:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x61b8:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x6224:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x6244:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x6254:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x6264:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x6274:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x6284:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
|
00000009.00000002.972899634.000002A0FE18A000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.449493611.000001C6B5DFF000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x150:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x160:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x78c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x79c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x7ac:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x7bc:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x7dc:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x7fc:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x830:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x840:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x850:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x8d4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x8e4:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x9b8:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x9c8:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0xa34:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0xa54:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xa64:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0xa74:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0xa84:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0xa94:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
|
00000009.00000002.964440619.000002A0FC389000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000002.00000002.959396798.0000015595552000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.448788961.000001C6B5DA0000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x5940:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x5950:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x5f7c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x5f8c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x5f9c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x5fac:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x5fcc:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x5fec:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
|
00000000.00000003.438775384.000001C6B5E12000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x29d0:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x29e0:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x300c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x301c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x302c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x303c:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x305c:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x307c:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x30b0:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x30c0:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x30d0:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x3154:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x3164:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x3238:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x3248:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x32b4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x32d4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x32e4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x32f4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x3304:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x3314:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
|
00000000.00000003.438537712.000001C6B5DA0000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x5940:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x5950:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x5f7c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x5f8c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x5f9c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x5fac:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x5fcc:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x5fec:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x6020:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x6030:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x6040:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x60c4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x60d4:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x61a8:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x61b8:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x6224:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x6244:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x6254:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x6264:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x6274:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x6284:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
|
00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0xb1618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xb19b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xbed55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0xbe801:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xbee57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xbefcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0xb23ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0xbda7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb3142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0xc43a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xc54aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0xc1229:$sqlite3step: 68 34 1C 7B E1
- 0xc133c:$sqlite3step: 68 34 1C 7B E1
- 0xc1258:$sqlite3text: 68 38 2A 90 C5
- 0xc137d:$sqlite3text: 68 38 2A 90 C5
- 0xc126b:$sqlite3blob: 68 53 D8 7F 8C
- 0xc1393:$sqlite3blob: 68 53 D8 7F 8C
|
00000009.00000003.512633458.000002A0FE195000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7858:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7bf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xb3b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x1bcd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xb4b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xb62f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x860a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1af4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9592:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x15247:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xdd1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x1c909:$sqlite3step: 68 34 1C 7B E1
- 0x1ca1c:$sqlite3step: 68 34 1C 7B E1
- 0x1c938:$sqlite3text: 68 38 2A 90 C5
- 0x1ca5d:$sqlite3text: 68 38 2A 90 C5
- 0x1c94b:$sqlite3blob: 68 53 D8 7F 8C
- 0x1ca73:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7858:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7bf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xb3b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x1bcd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xb4b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xb62f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x860a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1af4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9592:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x15247:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xdd1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x1c909:$sqlite3step: 68 34 1C 7B E1
- 0x1ca1c:$sqlite3step: 68 34 1C 7B E1
- 0x1c938:$sqlite3text: 68 38 2A 90 C5
- 0x1ca5d:$sqlite3text: 68 38 2A 90 C5
- 0x1c94b:$sqlite3blob: 68 53 D8 7F 8C
- 0x1ca73:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x82c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8662:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15a05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x154b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15b07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x15c7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x907a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1472c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9df2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b057:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1c15a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17ed9:$sqlite3step: 68 34 1C 7B E1
- 0x17fec:$sqlite3step: 68 34 1C 7B E1
- 0x17f08:$sqlite3text: 68 38 2A 90 C5
- 0x1802d:$sqlite3text: 68 38 2A 90 C5
- 0x17f1b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18043:$sqlite3blob: 68 53 D8 7F 8C
|
00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
Process Memory Space: wscript.exe PID: 6972 | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xa198d:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0xe8c15:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0xe8c25:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0xe9251:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0xe9261:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0xe9271:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0xe9281:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0xe92a1:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0xe92c1:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0xe92f5:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0xe9305:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0xe9315:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0xe9399:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0xe93a9:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0xe947d:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0xe948d:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0xe94f9:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0xe9519:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xe9529:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0xe9539:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0xe9549:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
|
Process Memory Space: wscript.exe PID: 7152 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 3576 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 1408 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 6416 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Click to see the 95 entries |