Click to jump to signature section
Source: WebCompanion.dll | ReversingLabs: Detection: 23% |
Source: WebCompanion.dll | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: WebCompanion.dll | Static PE information: certificate valid |
Source: WebCompanion.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdbX. source: WebCompanion.dll |
Source: | Binary string: c:\Development\Releases\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: WebCompanion.dll |
Source: | Binary string: c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdb source: WebCompanion.dll |
Source: | Binary string: Z:\Documents\bidmonitor\web-companion\WebCompanion\bin\Release\Dotfuscated\WebCompanion.Merged.pdb source: WebCompanion.dll |
Source: | Binary string: d:\Projects\lz4net\src\LZ4.net2\obj\Release\LZ4.pdb source: WebCompanion.dll |
Source: | Binary string: Z:\Documents\bidmonitor\web-companion\WebCompanion\bin\Release\Dotfuscated\WebCompanion.Merged.pdb, source: WebCompanion.dll |
Source: Yara match | File source: WebCompanion.dll, type: SAMPLE |
Source: WebCompanion.dll | String found in binary or memory: http://aia.entrust.net/evcs1-chain256.cer01 |
Source: WebCompanion.dll | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: WebCompanion.dll | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: WebCompanion.dll | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: WebCompanion.dll | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: WebCompanion.dll | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: WebCompanion.dll | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: WebCompanion.dll | String found in binary or memory: http://crl.entrust.net/evcs1.crl0 |
Source: WebCompanion.dll | String found in binary or memory: http://crl.entrust.net/g2ca.crl0; |
Source: WebCompanion.dll | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: WebCompanion.dll | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: WebCompanion.dll | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: WebCompanion.dll | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: WebCompanion.dll | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: WebCompanion.dll | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: WebCompanion.dll | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: WebCompanion.dll | String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0= |
Source: WebCompanion.dll | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: WebCompanion.dll | String found in binary or memory: http://dkf201.com%http://wzp9182.comIhttp://d2vtta4ibs40qt.cloudfront.netI1f667d94-35d0-4958-aa21-54 |
Source: WebCompanion.dll | String found in binary or memory: http://james.newtonking.com/projects/json |
Source: WebCompanion.dll | String found in binary or memory: http://ocsp.digicert.com0 |
Source: WebCompanion.dll | String found in binary or memory: http://ocsp.digicert.com0A |
Source: WebCompanion.dll | String found in binary or memory: http://ocsp.digicert.com0C |
Source: WebCompanion.dll | String found in binary or memory: http://ocsp.digicert.com0O |
Source: WebCompanion.dll | String found in binary or memory: http://ocsp.digicert.com0X |
Source: WebCompanion.dll | String found in binary or memory: http://ocsp.entrust.net00 |
Source: WebCompanion.dll | String found in binary or memory: http://ocsp.entrust.net05 |
Source: WebCompanion.dll | String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/searchenginetemplate.xml |
Source: WebCompanion.dll | String found in binary or memory: http://system.data.sqlite.org/ |
Source: WebCompanion.dll | String found in binary or memory: http://system.data.sqlite.org/X |
Source: WebCompanion.dll | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: WebCompanion.dll | String found in binary or memory: http://www.entrust.net/rpa0 |
Source: WebCompanion.dll | String found in binary or memory: http://www.mozilla.org/2006/browser/search/=//msbld:Url |
Source: WebCompanion.dll | String found in binary or memory: https://search-get.com/wc/search?q= |
Source: WebCompanion.dll | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: WebCompanion.dll | String found in binary or memory: https://www.entrust.net/rpa0 |
Source: WebCompanion.dll | String found in binary or memory: https://www.search-get.com/favicon.ico |
Source: WebCompanion.dll | Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs WebCompanion.dll |
Source: WebCompanion.dll | Binary or memory string: OriginalFilenameLZ4.dll( vs WebCompanion.dll |
Source: WebCompanion.dll | Binary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs WebCompanion.dll |
Source: WebCompanion.dll | Binary or memory string: OriginalFilenameSystem.Data.SQLite.dllH vs WebCompanion.dll |
Source: WebCompanion.dll | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: WebCompanion.dll, ac.cs | Cryptographic APIs: 'TransformBlock' |
Source: WebCompanion.dll, InflaterInputBuffer.cs | Cryptographic APIs: 'TransformBlock' |
Source: WebCompanion.dll, DeflaterOutputStream.cs | Cryptographic APIs: 'TransformBlock' |
Source: WebCompanion.dll, Scheduler.cs | Task registration methods: 'CreateLogonScheduledTask' |
Source: WebCompanion.dll, Scheduler.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: WebCompanion.dll, FileHelper.cs | Security API names: System.IO.FileInfo.SetAccessControl(System.Security.AccessControl.FileSecurity) |
Source: WebCompanion.dll, FileHelper.cs | Security API names: System.IO.FileInfo.GetAccessControl() |
Source: WebCompanion.dll, FileHelper.cs | Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule) |
Source: classification engine | Classification label: mal56.troj.evad.winDLL@6/0@0/0 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03 |
Source: WebCompanion.dll | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: WebCompanion.dll | Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 44.58% |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WebCompanion.dll",#1 |
Source: WebCompanion.dll | ReversingLabs: Detection: 23% |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\WebCompanion.dll" | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WebCompanion.dll",#1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WebCompanion.dll",#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WebCompanion.dll",#1 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WebCompanion.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: WebCompanion.dll | Static PE information: certificate valid |
Source: WebCompanion.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: WebCompanion.dll | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: WebCompanion.dll | Static file information: File size 3857728 > 1048576 |
Source: WebCompanion.dll | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3aa600 |
Source: WebCompanion.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: WebCompanion.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdbX. source: WebCompanion.dll |
Source: | Binary string: c:\Development\Releases\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: WebCompanion.dll |
Source: | Binary string: c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdb source: WebCompanion.dll |
Source: | Binary string: Z:\Documents\bidmonitor\web-companion\WebCompanion\bin\Release\Dotfuscated\WebCompanion.Merged.pdb source: WebCompanion.dll |
Source: | Binary string: d:\Projects\lz4net\src\LZ4.net2\obj\Release\LZ4.pdb source: WebCompanion.dll |
Source: | Binary string: Z:\Documents\bidmonitor\web-companion\WebCompanion\bin\Release\Dotfuscated\WebCompanion.Merged.pdb, source: WebCompanion.dll |
Source: WebCompanion.dll, d1.cs | .Net Code: dz |
Source: WebCompanion.dll, dq.cs | .Net Code: a |
Source: WebCompanion.dll, Scheduler.cs | .Net Code: CreateLogonScheduledTask |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Thread delayed: delay time: 120000 | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WebCompanion.dll",#1 | Jump to behavior |