Source: Yara match |
File source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR |
Source: Yara match |
File source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
0_2_0040B335 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
0_2_0041B42F |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
0_2_0040B53A |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0044D5E9 FindFirstFileExA, |
0_2_0044D5E9 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, |
0_2_004089A9 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW, |
0_2_00406AC2 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
0_2_00407A8C |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, |
0_2_00418C69 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00408DA7 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_020F900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_020F900E |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0210B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
0_2_0210B696 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_020FB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
0_2_020FB59C |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0213D850 FindFirstFileExA, |
0_2_0213D850 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_02108ED0 FindFirstFileW, |
0_2_02108ED0 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_020F7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
0_2_020F7CF3 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_020F6D29 FindFirstFileW,FindNextFileW, |
0_2_020F6D29 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
17_2_0040B335 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
17_2_0041B42F |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
17_2_0040B53A |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0044D5E9 FindFirstFileExA, |
17_2_0044D5E9 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, |
17_2_004089A9 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00406AC2 FindFirstFileW,FindNextFileW, |
17_2_00406AC2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
17_2_00407A8C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, |
17_2_00418C69 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, |
17_2_00408DA7 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0075900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
17_2_0075900E |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0075B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
17_2_0075B59C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0076B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
17_2_0076B696 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0079D850 FindFirstFileExA, |
17_2_0079D850 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00757CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
17_2_00757CF3 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00756D29 FindFirstFileW,FindNextFileW, |
17_2_00756D29 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00768ED0 FindFirstFileW, |
17_2_00768ED0 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
20_2_0040B335 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
20_2_0041B42F |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
20_2_0040B53A |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0044D5E9 FindFirstFileExA, |
20_2_0044D5E9 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, |
20_2_004089A9 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00406AC2 FindFirstFileW,FindNextFileW, |
20_2_00406AC2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
20_2_00407A8C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, |
20_2_00418C69 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, |
20_2_00408DA7 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0213900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
20_2_0213900E |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0214B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
20_2_0214B696 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0213B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
20_2_0213B59C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0217D850 FindFirstFileExA, |
20_2_0217D850 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02148ED0 FindFirstFileW, |
20_2_02148ED0 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02137CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
20_2_02137CF3 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02136D29 FindFirstFileW,FindNextFileW, |
20_2_02136D29 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
38_2_0040B335 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
38_2_0041B42F |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
38_2_0040B53A |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0044D5E9 FindFirstFileExA, |
38_2_0044D5E9 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, |
38_2_004089A9 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00406AC2 FindFirstFileW,FindNextFileW, |
38_2_00406AC2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
38_2_00407A8C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, |
38_2_00418C69 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, |
38_2_00408DA7 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0218900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
38_2_0218900E |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0219B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
38_2_0219B696 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0218B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
38_2_0218B59C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021CD850 FindFirstFileExA, |
38_2_021CD850 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_02198ED0 FindFirstFileW, |
38_2_02198ED0 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_02187CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
38_2_02187CF3 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_02186D29 FindFirstFileW,FindNextFileW, |
38_2_02186D29 |
Source: Yara match |
File source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR |
Source: Yara match |
File source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR |
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000014.00000002.2309360524.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000026.00000002.2378502507.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000011.00000002.4624113726.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, |
0_2_0041CA9E |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, |
0_2_0041ACC1 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, |
0_2_0041ACED |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0210AF28 OpenProcess,NtSuspendProcess,CloseHandle, |
0_2_0210AF28 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0210AF54 OpenProcess,NtResumeProcess,CloseHandle, |
0_2_0210AF54 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0210CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, |
0_2_0210CD05 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, |
17_2_0041CA9E |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, |
17_2_0041ACC1 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, |
17_2_0041ACED |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0076CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, |
17_2_0076CD05 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0076AF54 OpenProcess,NtResumeProcess,CloseHandle, |
17_2_0076AF54 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0076AF28 OpenProcess,NtSuspendProcess,CloseHandle, |
17_2_0076AF28 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, |
20_2_0041CA9E |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, |
20_2_0041ACC1 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, |
20_2_0041ACED |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0214AF28 OpenProcess,NtSuspendProcess,CloseHandle, |
20_2_0214AF28 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0214AF54 OpenProcess,NtResumeProcess,CloseHandle, |
20_2_0214AF54 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0214CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, |
20_2_0214CD05 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, |
38_2_0041CA9E |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, |
38_2_0041ACC1 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, |
38_2_0041ACED |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0219AF28 OpenProcess,NtSuspendProcess,CloseHandle, |
38_2_0219AF28 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0219AF54 OpenProcess,NtResumeProcess,CloseHandle, |
38_2_0219AF54 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0219CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, |
38_2_0219CD05 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0041D071 |
0_2_0041D071 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_004520D2 |
0_2_004520D2 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0043D098 |
0_2_0043D098 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00437150 |
0_2_00437150 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_004361AA |
0_2_004361AA |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00426254 |
0_2_00426254 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00431377 |
0_2_00431377 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0041E5DF |
0_2_0041E5DF |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0044C739 |
0_2_0044C739 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_004267CB |
0_2_004267CB |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0043C9DD |
0_2_0043C9DD |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00432A49 |
0_2_00432A49 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0043CC0C |
0_2_0043CC0C |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00434D22 |
0_2_00434D22 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00426E73 |
0_2_00426E73 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00440E20 |
0_2_00440E20 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0043CE3B |
0_2_0043CE3B |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00412F45 |
0_2_00412F45 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00452F00 |
0_2_00452F00 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_00426FAD |
0_2_00426FAD |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_02117214 |
0_2_02117214 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0210D2D8 |
0_2_0210D2D8 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0212D2FF |
0_2_0212D2FF |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_02142339 |
0_2_02142339 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_021273B7 |
0_2_021273B7 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_02131087 |
0_2_02131087 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0212D0A2 |
0_2_0212D0A2 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_021170DA |
0_2_021170DA |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_02126411 |
0_2_02126411 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_021164BB |
0_2_021164BB |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_02116A32 |
0_2_02116A32 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0210E846 |
0_2_0210E846 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0212CE73 |
0_2_0212CE73 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_0212CC44 |
0_2_0212CC44 |
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: 0_2_02122CB0 |
0_2_02122CB0 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0041D071 |
17_2_0041D071 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_004520D2 |
17_2_004520D2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0043D098 |
17_2_0043D098 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00437150 |
17_2_00437150 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_004361AA |
17_2_004361AA |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00426254 |
17_2_00426254 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00431377 |
17_2_00431377 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0041E5DF |
17_2_0041E5DF |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0044C739 |
17_2_0044C739 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_004267CB |
17_2_004267CB |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0043C9DD |
17_2_0043C9DD |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00432A49 |
17_2_00432A49 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0043CC0C |
17_2_0043CC0C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00434D22 |
17_2_00434D22 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00426E73 |
17_2_00426E73 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00440E20 |
17_2_00440E20 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0043CE3B |
17_2_0043CE3B |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00412F45 |
17_2_00412F45 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00452F00 |
17_2_00452F00 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00426FAD |
17_2_00426FAD |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_007770DA |
17_2_007770DA |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0078D0A2 |
17_2_0078D0A2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00791087 |
17_2_00791087 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00777214 |
17_2_00777214 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0078D2FF |
17_2_0078D2FF |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0076D2D8 |
17_2_0076D2D8 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_007A2339 |
17_2_007A2339 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_007873B7 |
17_2_007873B7 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00786411 |
17_2_00786411 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_007764BB |
17_2_007764BB |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0076E846 |
17_2_0076E846 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00776A32 |
17_2_00776A32 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0078CC44 |
17_2_0078CC44 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_00782CB0 |
17_2_00782CB0 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 17_2_0078CE73 |
17_2_0078CE73 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0041D071 |
20_2_0041D071 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_004520D2 |
20_2_004520D2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0043D098 |
20_2_0043D098 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00437150 |
20_2_00437150 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_004361AA |
20_2_004361AA |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00426254 |
20_2_00426254 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00431377 |
20_2_00431377 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0041E5DF |
20_2_0041E5DF |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0044C739 |
20_2_0044C739 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_004267CB |
20_2_004267CB |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0043C9DD |
20_2_0043C9DD |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00432A49 |
20_2_00432A49 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0043CC0C |
20_2_0043CC0C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00434D22 |
20_2_00434D22 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00426E73 |
20_2_00426E73 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00440E20 |
20_2_00440E20 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0043CE3B |
20_2_0043CE3B |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00412F45 |
20_2_00412F45 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00452F00 |
20_2_00452F00 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_00426FAD |
20_2_00426FAD |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02157214 |
20_2_02157214 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0214D2D8 |
20_2_0214D2D8 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0216D2FF |
20_2_0216D2FF |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02182339 |
20_2_02182339 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_021673B7 |
20_2_021673B7 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02171087 |
20_2_02171087 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0216D0A2 |
20_2_0216D0A2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_021570DA |
20_2_021570DA |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02166411 |
20_2_02166411 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_021564BB |
20_2_021564BB |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02156A32 |
20_2_02156A32 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0214E846 |
20_2_0214E846 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0216CE73 |
20_2_0216CE73 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_0216CC44 |
20_2_0216CC44 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 20_2_02162CB0 |
20_2_02162CB0 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0041D071 |
38_2_0041D071 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_004520D2 |
38_2_004520D2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0043D098 |
38_2_0043D098 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00437150 |
38_2_00437150 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_004361AA |
38_2_004361AA |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00426254 |
38_2_00426254 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00431377 |
38_2_00431377 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0041E5DF |
38_2_0041E5DF |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0044C739 |
38_2_0044C739 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_004267CB |
38_2_004267CB |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0043C9DD |
38_2_0043C9DD |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00432A49 |
38_2_00432A49 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0043CC0C |
38_2_0043CC0C |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00434D22 |
38_2_00434D22 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00426E73 |
38_2_00426E73 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00440E20 |
38_2_00440E20 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0043CE3B |
38_2_0043CE3B |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00412F45 |
38_2_00412F45 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00452F00 |
38_2_00452F00 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_00426FAD |
38_2_00426FAD |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021A7214 |
38_2_021A7214 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0219D2D8 |
38_2_0219D2D8 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021BD2FF |
38_2_021BD2FF |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021D2339 |
38_2_021D2339 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021B73B7 |
38_2_021B73B7 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021C1087 |
38_2_021C1087 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021BD0A2 |
38_2_021BD0A2 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021A70DA |
38_2_021A70DA |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021B6411 |
38_2_021B6411 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021A64BB |
38_2_021A64BB |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021A6A32 |
38_2_021A6A32 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_0219E846 |
38_2_0219E846 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021BCE73 |
38_2_021BCE73 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021BCC44 |
38_2_021BCC44 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: 38_2_021B2CB0 |
38_2_021B2CB0 |
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 0075234E appears 37 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 021B3B0C appears 41 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 02164217 appears 46 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 02163B0C appears 41 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 0043ADAE appears 45 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 021B4217 appears 46 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 0218234E appears 37 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00401D64 appears 64 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00447174 appears 54 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00401F66 appears 150 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00401FAA appears 63 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00403B40 appears 66 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00433FB0 appears 165 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00406478 appears 33 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00444B14 appears 84 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00404C9E appears 48 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 004026CE appears 45 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 004020E7 appears 118 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 004567E0 appears 39 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00401E8F appears 55 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00401E52 appears 33 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 004040BB appears 54 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00410D8D appears 54 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 004338A5 appears 123 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00783B0C appears 41 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 0213234E appears 37 times |
|
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe |
Code function: String function: 00784217 appears 46 times |
|
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: String function: 004020E7 appears 39 times |
|
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: String function: 020F234E appears 37 times |
|
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: String function: 02124217 appears 46 times |
|
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: String function: 00401F66 appears 50 times |
|
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: String function: 004338A5 appears 41 times |
|
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: String function: 02123B0C appears 41 times |
|
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe |
Code function: String function: 00433FB0 appears 55 times |
|
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSH< |