Source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "127.0.0.1:55433:1185.65.134.166:55433:110.11.0.5:55433:145.128.234.54:55433:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-UQ90W9", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"} |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0044D0F9 FindFirstFileExA, |
4_2_0044D0F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
4_2_0040B0AA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
4_2_0040B2B1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW, |
4_2_00418650 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
4_2_0040B8C7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
4_2_00408909 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
4_2_0041AC0A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
4_2_00408D1B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
4_2_00407E80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00406EB0 FindFirstFileW,FindNextFileW, |
4_2_00406EB0 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.65.134.166 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.65.134.166 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.65.134.166 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.128.234.54 |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/j |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp1 |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp2C9DCABD6423689A465F00D4F |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpESS |
Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpf |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gples8 |
Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gprol |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
4_2_00415802 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
4_2_00415802 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
4_2_00415802 |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR |
Source: file.exe, type: SAMPLE |
Matched rule: Detects zgRAT Author: ditekSHen |
Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects zgRAT Author: ditekSHen |
Source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects zgRAT Author: ditekSHen |
Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: file.exe, type: SAMPLE |
Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT |
Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT |
Source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT |
Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FF814F23AAA |
0_2_00007FF814F23AAA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00437040 |
4_2_00437040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_004361CE |
4_2_004361CE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_004131DA |
4_2_004131DA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0044C249 |
4_2_0044C249 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00432251 |
4_2_00432251 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00426351 |
4_2_00426351 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0041C46D |
4_2_0041C46D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_004264BA |
4_2_004264BA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00436603 |
4_2_00436603 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0043C76D |
4_2_0043C76D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00425719 |
4_2_00425719 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00434731 |
4_2_00434731 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_004358BA |
4_2_004358BA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_004529D9 |
4_2_004529D9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0043C99C |
4_2_0043C99C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0041DA05 |
4_2_0041DA05 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00436A38 |
4_2_00436A38 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00444AF0 |
4_2_00444AF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0043CBCB |
4_2_0043CBCB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00451BAB |
4_2_00451BAB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00425CA8 |
4_2_00425CA8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00435DB6 |
4_2_00435DB6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0043CE28 |
4_2_0043CE28 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: String function: 0043307B appears 41 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: String function: 00402073 appears 50 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: String function: 00433700 appears 54 times |
|
Source: file.exe, 00000000.00000002.567234773.00000177EB320000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameCEMENT.dll. vs file.exe |
Source: file.exe, 00000000.00000002.566970526.00000177E991C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs file.exe |
Source: file.exe, 00000000.00000002.566934362.00000177E9842000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe |
Source: file.exe, 00000000.00000002.564438533.000001778003B000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCEMENT.dll. vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00000177E97B2C75 push FFFFFFBAh; iretd |
0_2_00000177E97B2C7C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00456328 push eax; ret |
4_2_00456346 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0045C51D push esi; ret |
4_2_0045C526 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00433746 push ecx; ret |
4_2_00433759 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00455A06 push ecx; ret |
4_2_00455A19 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, |
4_2_0041B4C9 |
Source: file.exe, c2VdCkcfuulLVd3JSVN/dMdjZgcZKPfS5AC2lDf.cs |
High entropy of concatenated method names: 'WcocIY8WWi', 'KHTcmWEX8l', 'ReIcHq3C21', 'rtAc6rInaP', 'SCxcOUCgho', 'HRxcCvZRpO', 'Ce4cNESpOo', '.ctor', '.cctor', 'B49EjuYwa6e1tR1hSn7' |
Source: file.exe, rU0ptD4llTJ1hV0R3g/X0fs42yqQa7Qy1FGHk.cs |
High entropy of concatenated method names: '.cctor', 'X1reT73iit', 'Au7kmKk34', 'grrJKvsrg', 'RLK0bfYJn', 'MrGifVCYO', 'y84SWi6la', 'xJLo4XVgE', 'AlD1yfQTm', '.ctor' |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, |
4_2_0041B4C9 |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0044D0F9 FindFirstFileExA, |
4_2_0044D0F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
4_2_0040B0AA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
4_2_0040B2B1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW, |
4_2_00418650 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
4_2_0040B8C7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
4_2_00408909 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
4_2_0041AC0A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
4_2_00408D1B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
4_2_00407E80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00406EB0 FindFirstFileW,FindNextFileW, |
4_2_00406EB0 |
Source: file.exe, 00000000.00000002.564591902.00000177920B6000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: HgfsSa/7Mz4 |
Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: %bl%HgfsSa/7Mz4AIvfRNmLk/Cs/YU5W |
Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: %bVHgfsSa/7Mz4AIvfRNmLk/Cs/YU5W |
Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: %bl%HgfsSa/7Mz4 |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW` |
Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: %bVHgfsSa/7Mz4AIvfRNmLk/Cs/YU5WBLrwdvF/nOMbOXnxggMpO2I4rdwEEEPuX43KdCEpLr8hfjnvbzKgncgEFnjBxtlFg4TfjKuZ4Cr/qhLBl/Kscx8p3EhZQxAe2rApE/tcOjHfPhRncUf4Rk3/wAyaUcppDB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, |
4_2_0041B4C9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00433452 SetUnhandledExceptionFilter, |
4_2_00433452 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_00433304 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_0043A3F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_0043A3F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 4_2_004338CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_004338CC |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 457000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46F000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 475000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 477000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47C000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: B04008 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000F32000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: program managerW9\ |
Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: |Program Manager| |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW, |
4_2_0044716D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
4_2_00450558 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: EnumSystemLocalesW, |
4_2_004507D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: EnumSystemLocalesW, |
4_2_0045081B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: EnumSystemLocalesW, |
4_2_004508B6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
4_2_00450943 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW, |
4_2_00450B93 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: EnumSystemLocalesW, |
4_2_00446C84 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
4_2_00450CBC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW, |
4_2_00450DC3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoA, |
4_2_0040EE14 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
4_2_00450E90 |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR |