Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://computername/printers/printername/.printer |
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://java.sun.com |
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: explorer.exe, 0000000A.00000000.956332979.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: Client.exe, 00000005.00000002.948805262.0000000002251000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: explorer.exe, 0000000A.00000000.1008252295.0000000006450000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://treyresearch.net |
Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://wellformedweb.org/CommentAPI/ |
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: explorer.exe, 0000000A.00000000.956332979.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.autoitscript.com/autoit3 |
Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww |
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://www.iis.fhg.de/audioPA |
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: explorer.exe, 00000010.00000000.1142817645.00000000028D5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.piriform.com/ccleaner |
Source: explorer.exe, 0000000A.00000000.980735957.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010954444.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.997010696.0000000008611000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.piriform.com/ccleaner1SPS0 |
Source: explorer.exe, 00000010.00000002.1180212786.00000000028A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.piriform.com/ccleanerL |
Source: explorer.exe, 00000010.00000000.1141406151.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1169666502.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1179532511.00000000003F6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclean |
Source: explorer.exe, 0000000A.00000000.981696931.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.981376298.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.998141320.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011250334.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.1140594527.0000000002935000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1141406151.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1169666502.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1179532511.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1184308439.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1180212786.00000000028A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv |
Source: explorer.exe, 0000000A.00000000.988513472.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1064634143.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.963611972.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1003285308.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.piriform.com/ccleanerq |
Source: explorer.exe, 0000000A.00000000.991708612.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1006533953.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1069727746.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.968708467.0000000004385000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.piriform.com/ccleanerv |
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://support.mozilla.org |
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org |
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes |
Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE |
Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen |
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: Process Memory Space: Client.exe PID: 152, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: Process Memory Space: notepad.exe PID: 280, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: Process Memory Space: colorcpl.exe PID: 2564, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5A3C8D88-A016-4151-9911-DB6F195FA0DD}.tmp, type: DROPPED |
Matched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs |
Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE |
Matched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE |
Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. |
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: Process Memory Space: Client.exe PID: 152, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: Process Memory Space: notepad.exe PID: 280, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: Process Memory Space: colorcpl.exe PID: 2564, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5A3C8D88-A016-4151-9911-DB6F195FA0DD}.tmp, type: DROPPED |
Matched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, score = , sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5A3C8D88-A016-4151-9911-DB6F195FA0DD}.tmp, type: DROPPED |
Matched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_001C1330 |
5_2_001C1330 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_001C3700 |
5_2_001C3700 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_001C4BA8 |
5_2_001C4BA8 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_001CA140 |
5_2_001CA140 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_001C9C18 |
5_2_001C9C18 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_00368418 |
5_2_00368418 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_0426A6D0 |
5_2_0426A6D0 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_04268458 |
5_2_04268458 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_0426B318 |
5_2_0426B318 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_0426B168 |
5_2_0426B168 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_04D70048 |
5_2_04D70048 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_04D90048 |
5_2_04D90048 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00401030 |
9_2_00401030 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00402D88 |
9_2_00402D88 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00402D90 |
9_2_00402D90 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041D5A3 |
9_2_0041D5A3 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00409E60 |
9_2_00409E60 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041EE6F |
9_2_0041EE6F |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00409E1A |
9_2_00409E1A |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041EF12 |
9_2_0041EF12 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041DFDB |
9_2_0041DFDB |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00402FB0 |
9_2_00402FB0 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007C905A |
9_2_007C905A |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007B3040 |
9_2_007B3040 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007DD005 |
9_2_007DD005 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007AE0C6 |
9_2_007AE0C6 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0082D06D |
9_2_0082D06D |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007AE2E9 |
9_2_007AE2E9 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00851238 |
9_2_00851238 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007FA37B |
9_2_007FA37B |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007B7353 |
9_2_007B7353 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_008563BF |
9_2_008563BF |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007B2305 |
9_2_007B2305 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007D63DB |
9_2_007D63DB |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007AF3CF |
9_2_007AF3CF |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007ED47D |
9_2_007ED47D |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0083443E |
9_2_0083443E |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007C1489 |
9_2_007C1489 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007E5485 |
9_2_007E5485 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007F6540 |
9_2_007F6540 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_008305E3 |
9_2_008305E3 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007B351F |
9_2_007B351F |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007CC5F0 |
9_2_007CC5F0 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007FA634 |
9_2_007FA634 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00852622 |
9_2_00852622 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007BE6C1 |
9_2_007BE6C1 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007B4680 |
9_2_007B4680 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0083579A |
9_2_0083579A |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007E57C3 |
9_2_007E57C3 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007BC7BC |
9_2_007BC7BC |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007D286D |
9_2_007D286D |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007BC85C |
9_2_007BC85C |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0082F8C4 |
9_2_0082F8C4 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0084F8EE |
9_2_0084F8EE |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0085098E |
9_2_0085098E |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007C69FE |
9_2_007C69FE |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0083394B |
9_2_0083394B |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007B29B2 |
9_2_007B29B2 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00835955 |
9_2_00835955 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00863A83 |
9_2_00863A83 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0085CBA4 |
9_2_0085CBA4 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0083DBDA |
9_2_0083DBDA |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007D7B00 |
9_2_007D7B00 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007BCD5B |
9_2_007BCD5B |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007E0D3B |
9_2_007E0D3B |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0084FDDD |
9_2_0084FDDD |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007CEE4C |
9_2_007CEE4C |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007E2E2F |
9_2_007E2E2F |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007DDF7C |
9_2_007DDF7C |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0084CFB1 |
9_2_0084CFB1 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007C0F3F |
9_2_007C0F3F |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_00822FDC |
9_2_00822FDC |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001FA036 |
9_2_001FA036 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001F1082 |
9_2_001F1082 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001FB232 |
9_2_001FB232 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001FE5CD |
9_2_001FE5CD |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001F8912 |
9_2_001F8912 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001F5B32 |
9_2_001F5B32 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001F5B30 |
9_2_001F5B30 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_001C2588 NtQuerySystemInformation, |
5_2_001C2588 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_001C2580 NtQuerySystemInformation, |
5_2_001C2580 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_0035F180 NtResumeThread, |
5_2_0035F180 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_0035D2B0 NtProtectVirtualMemory, |
5_2_0035D2B0 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_0035DC90 NtSetContextThread, |
5_2_0035DC90 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_0035CDD8 NtAllocateVirtualMemory, |
5_2_0035CDD8 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_0035D798 NtWriteVirtualMemory, |
5_2_0035D798 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_003600D8 NtClose, |
5_2_003600D8 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_003600D7 NtClose, |
5_2_003600D7 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_04D7BAB8 NtWriteVirtualMemory, |
5_2_04D7BAB8 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Code function: 5_2_04D7BF98 NtCreateThreadEx, |
5_2_04D7BF98 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041A360 NtCreateFile, |
9_2_0041A360 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041A410 NtReadFile, |
9_2_0041A410 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041A490 NtClose, |
9_2_0041A490 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041A540 NtAllocateVirtualMemory, |
9_2_0041A540 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041A35A NtCreateFile, |
9_2_0041A35A |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041A31D NtCreateFile, |
9_2_0041A31D |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0041A4BA NtClose, |
9_2_0041A4BA |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A0078 NtResumeThread,LdrInitializeThunk, |
9_2_007A0078 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A0048 NtProtectVirtualMemory,LdrInitializeThunk, |
9_2_007A0048 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A00C4 NtCreateFile,LdrInitializeThunk, |
9_2_007A00C4 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079F900 NtReadFile,LdrInitializeThunk, |
9_2_0079F900 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079F9F0 NtClose,LdrInitializeThunk, |
9_2_0079F9F0 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk, |
9_2_0079FAE8 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, |
9_2_0079FAD0 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk, |
9_2_0079FB68 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk, |
9_2_0079FBB8 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk, |
9_2_0079FC60 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FC90 NtUnmapViewOfSection,LdrInitializeThunk, |
9_2_0079FC90 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk, |
9_2_0079FDC0 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FD8C NtDelayExecution,LdrInitializeThunk, |
9_2_0079FD8C |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, |
9_2_0079FED0 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FEA0 NtReadVirtualMemory,LdrInitializeThunk, |
9_2_0079FEA0 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FFB4 NtCreateSection,LdrInitializeThunk, |
9_2_0079FFB4 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A0060 NtQuerySection, |
9_2_007A0060 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A10D0 NtOpenProcessToken, |
9_2_007A10D0 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A1148 NtOpenThread, |
9_2_007A1148 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A010C NtOpenDirectoryObject, |
9_2_007A010C |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A01D4 NtSetValueKey, |
9_2_007A01D4 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A07AC NtCreateMutant, |
9_2_007A07AC |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079F8CC NtWaitForSingleObject, |
9_2_0079F8CC |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079F938 NtWriteFile, |
9_2_0079F938 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A1930 NtSetContextThread, |
9_2_007A1930 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FA50 NtEnumerateValueKey, |
9_2_0079FA50 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FA20 NtQueryInformationFile, |
9_2_0079FA20 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FAB8 NtQueryValueKey, |
9_2_0079FAB8 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FB50 NtCreateKey, |
9_2_0079FB50 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FBE8 NtQueryVirtualMemory, |
9_2_0079FBE8 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FC48 NtSetInformationFile, |
9_2_0079FC48 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A0C40 NtGetContextThread, |
9_2_007A0C40 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FC30 NtOpenProcess, |
9_2_0079FC30 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FD5C NtEnumerateKey, |
9_2_0079FD5C |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_007A1D80 NtSuspendThread, |
9_2_007A1D80 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FE24 NtWriteVirtualMemory, |
9_2_0079FE24 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FF34 NtQueueApcThread, |
9_2_0079FF34 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_0079FFFC NtCreateProcessEx, |
9_2_0079FFFC |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001FA036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, |
9_2_001FA036 |
Source: C:\Windows\SysWOW64\notepad.exe |
Code function: 9_2_001FA042 NtQueryInformationProcess, |
9_2_001FA042 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\colorcpl.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |