Source: http://www.chmoptk.xyz/ko14/?a8a0I6=AN9ddFth&5jf=M7nqW8aR7mNvoHxLrPxI2y49I5+WA672UYaebqQM8uyw3pghcvdZz9ysw/++M4PBBSKx | Avira URL Cloud: Label: malware |
Source: http://www.benguey.com/ko14/www.garciaguardadopainting.com | Avira URL Cloud: Label: malware |
Source: http://www.getagrandbankcard.com/ko14/www.kubulaw.com | Avira URL Cloud: Label: malware |
Source: http://www.hbrsty.com/ko14/www.jirehgems.com | Avira URL Cloud: Label: malware |
Source: http://www.island6.work/ko14/?5jf=VaDSnsgvonCigUZ+pmDkuHBOCaBr5JnrGKmoNvP+bJqyBIIgbn+8auQsuvmDsx/CLI6H&a8a0I6=AN9ddFth | Avira URL Cloud: Label: malware |
Source: http://www.ke3yjs5tri.one/ko14/www.itsallwool.net | Avira URL Cloud: Label: malware |
Source: http://www.bluehorizonnirvana.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.hbrsty.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.jirehgems.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.kayseriplise.com/ko14/www.ke3yjs5tri.one | Avira URL Cloud: Label: malware |
Source: http://www.kubulaw.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.chmoptk.xyz/ko14/www.getagrandbankcard.com | Avira URL Cloud: Label: malware |
Source: http://www.ke3yjs5tri.one/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.kubulaw.com/ko14/www.1wthqp.top | Avira URL Cloud: Label: malware |
Source: http://www.island6.work/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.itsallwool.net/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.chmoptk.xyz/ko14/www.island6.work | Avira URL Cloud: Label: malware |
Source: http://www.bluehorizonnirvana.com/ko14/www.chmoptk.xyz | Avira URL Cloud: Label: malware |
Source: http://www.chmoptk.xyz/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.benguey.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.elandtoyar.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.bluehorizonnirvana.com/ko14/?a8a0I6=AN9ddFth&5jf=BQFbNS1tJ024OW9lmuATJr9Xnniob3WjOEkugQ07ZFP/1sWqi7DwmqNdo26PC6xDvEYj | Avira URL Cloud: Label: malware |
Source: http://www.island6.work/ko14/www.bluehorizonnirvana.com | Avira URL Cloud: Label: malware |
Source: http://www.chmoptk.xyz | Avira URL Cloud: Label: malware |
Source: http://www.elandtoyar.com/ko14/www.set4.co.uk | Avira URL Cloud: Label: malware |
Source: http://www.getagrandbankcard.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.garciaguardadopainting.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.jirehgems.com/ko14/www.elandtoyar.com | Avira URL Cloud: Label: malware |
Source: http://www.kayseriplise.com/ko14/ | Avira URL Cloud: Label: malware |
Source: http://www.set4.co.uk/ko14/www.benguey.com | Avira URL Cloud: Label: malware |
Source: http://www.itsallwool.net/ko14/www.hbrsty.com | Avira URL Cloud: Label: malware |
Source: http://www.set4.co.uk/ko14/ | Avira URL Cloud: Label: malware |
Source: 9Y0iIDL2cA.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.1wthqp.top |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.1wthqp.top/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.1wthqp.top/ko14/www.kayseriplise.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.1wthqp.topReferer: |
Source: explorer.exe, 00000004.00000002.540436871.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.300792983.000000000F270000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.benguey.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.benguey.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.benguey.com/ko14/www.garciaguardadopainting.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.benguey.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.bluehorizonnirvana.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.bluehorizonnirvana.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.bluehorizonnirvana.com/ko14/www.chmoptk.xyz |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.bluehorizonnirvana.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.chmoptk.xyz |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.chmoptk.xyz/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.chmoptk.xyz/ko14/www.getagrandbankcard.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.chmoptk.xyz/ko14/www.island6.work |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.chmoptk.xyzReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.elandtoyar.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.elandtoyar.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.elandtoyar.com/ko14/www.set4.co.uk |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.elandtoyar.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.garciaguardadopainting.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.garciaguardadopainting.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.garciaguardadopainting.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.getagrandbankcard.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.getagrandbankcard.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.getagrandbankcard.com/ko14/www.kubulaw.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.getagrandbankcard.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.hbrsty.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.hbrsty.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.hbrsty.com/ko14/www.jirehgems.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.hbrsty.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.island6.work |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.island6.work/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.island6.work/ko14/www.bluehorizonnirvana.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.island6.workReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.itsallwool.net |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.itsallwool.net/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.itsallwool.net/ko14/www.hbrsty.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.itsallwool.netReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.jirehgems.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.jirehgems.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.jirehgems.com/ko14/www.elandtoyar.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.jirehgems.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.kayseriplise.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.kayseriplise.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.kayseriplise.com/ko14/www.ke3yjs5tri.one |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.kayseriplise.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.ke3yjs5tri.one |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.ke3yjs5tri.one/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.ke3yjs5tri.one/ko14/www.itsallwool.net |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.ke3yjs5tri.oneReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.kubulaw.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.kubulaw.com/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.kubulaw.com/ko14/www.1wthqp.top |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.kubulaw.comReferer: |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.set4.co.uk |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.set4.co.uk/ko14/ |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.set4.co.uk/ko14/www.benguey.com |
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.set4.co.ukReferer: |
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: Process Memory Space: eepwidokpg.exe PID: 5608, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: Process Memory Space: eepwidokpg.exe PID: 1668, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: Process Memory Space: WWAHost.exe PID: 5352, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: Process Memory Space: eepwidokpg.exe PID: 5608, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: Process Memory Space: eepwidokpg.exe PID: 1668, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: Process Memory Space: WWAHost.exe PID: 5352, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe | Code function: 0_2_00406D5F | 0_2_00406D5F |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_00401026 | 3_2_00401026 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_00401030 | 3_2_00401030 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041D8FB | 3_2_0041D8FB |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041DCFB | 3_2_0041DCFB |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041E524 | 3_2_0041E524 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041EDC0 | 3_2_0041EDC0 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_00402D90 | 3_2_00402D90 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_00409E4B | 3_2_00409E4B |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_00409E50 | 3_2_00409E50 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041D69A | 3_2_0041D69A |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041EFE9 | 3_2_0041EFE9 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_00402FB0 | 3_2_00402FB0 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0097B090 | 3_2_0097B090 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_00A320A8 | 3_2_00A320A8 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103B8232 | 4_2_103B8232 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103B7036 | 4_2_103B7036 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103AE082 | 4_2_103AE082 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103B2B32 | 4_2_103B2B32 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103B2B30 | 4_2_103B2B30 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103B5912 | 4_2_103B5912 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103AFD02 | 4_2_103AFD02 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103BB5CD | 4_2_103BB5CD |
Source: C:\Windows\explorer.exe | Code function: 4_2_108FA082 | 4_2_108FA082 |
Source: C:\Windows\explorer.exe | Code function: 4_2_10903036 | 4_2_10903036 |
Source: C:\Windows\explorer.exe | Code function: 4_2_109075CD | 4_2_109075CD |
Source: C:\Windows\explorer.exe | Code function: 4_2_10901912 | 4_2_10901912 |
Source: C:\Windows\explorer.exe | Code function: 4_2_108FBD02 | 4_2_108FBD02 |
Source: C:\Windows\explorer.exe | Code function: 4_2_10904232 | 4_2_10904232 |
Source: C:\Windows\explorer.exe | Code function: 4_2_108FEB32 | 4_2_108FEB32 |
Source: C:\Windows\explorer.exe | Code function: 4_2_108FEB30 | 4_2_108FEB30 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041A350 NtCreateFile, | 3_2_0041A350 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041A400 NtReadFile, | 3_2_0041A400 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041A480 NtClose, | 3_2_0041A480 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041A530 NtAllocateVirtualMemory, | 3_2_0041A530 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041A34A NtCreateFile, | 3_2_0041A34A |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041A3FB NtReadFile, | 3_2_0041A3FB |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041A3A3 NtReadFile, | 3_2_0041A3A3 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_0041A52A NtAllocateVirtualMemory, | 3_2_0041A52A |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A98F0 NtReadVirtualMemory,LdrInitializeThunk, | 3_2_009A98F0 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9840 NtDelayExecution,LdrInitializeThunk, | 3_2_009A9840 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9860 NtQuerySystemInformation,LdrInitializeThunk, | 3_2_009A9860 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A99A0 NtCreateSection,LdrInitializeThunk, | 3_2_009A99A0 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 3_2_009A9910 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9A00 NtProtectVirtualMemory,LdrInitializeThunk, | 3_2_009A9A00 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9A20 NtResumeThread,LdrInitializeThunk, | 3_2_009A9A20 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9A50 NtCreateFile,LdrInitializeThunk, | 3_2_009A9A50 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A95D0 NtClose,LdrInitializeThunk, | 3_2_009A95D0 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9540 NtReadFile,LdrInitializeThunk, | 3_2_009A9540 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A96E0 NtFreeVirtualMemory,LdrInitializeThunk, | 3_2_009A96E0 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9660 NtAllocateVirtualMemory,LdrInitializeThunk, | 3_2_009A9660 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9780 NtMapViewOfSection,LdrInitializeThunk, | 3_2_009A9780 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A97A0 NtUnmapViewOfSection,LdrInitializeThunk, | 3_2_009A97A0 |
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe | Code function: 3_2_009A9710 NtQueryInformationToken,LdrInitializeThunk, | 3_2_009A9710 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103B8232 NtCreateFile, | 4_2_103B8232 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103B9E12 NtProtectVirtualMemory, | 4_2_103B9E12 |
Source: C:\Windows\explorer.exe | Code function: 4_2_103B9E0A NtProtectVirtualMemory, | 4_2_103B9E0A |