Source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "pekonomia.duckdns.org:30861:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-B0VP4N", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"} |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0044D0F9 FindFirstFileExA, |
2_2_0044D0F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
2_2_0040B0AA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
2_2_0040B2B1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW, |
2_2_00418650 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
2_2_0040B8C7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
2_2_00408909 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
2_2_0041AC0A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
2_2_00408D1B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
2_2_00407E80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00406EB0 FindFirstFileW,FindNextFileW, |
2_2_00406EB0 |
Source: aspnet_compiler.exe |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: file.exe, 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
2_2_00415802 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
2_2_00415802 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
2_2_00415802 |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR |
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00437040 |
2_2_00437040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_004361CE |
2_2_004361CE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_004131DA |
2_2_004131DA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0044C249 |
2_2_0044C249 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00432251 |
2_2_00432251 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00426351 |
2_2_00426351 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0041C46D |
2_2_0041C46D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_004264BA |
2_2_004264BA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00436603 |
2_2_00436603 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0043C76D |
2_2_0043C76D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00425719 |
2_2_00425719 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00434731 |
2_2_00434731 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_004358BA |
2_2_004358BA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_004529D9 |
2_2_004529D9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0043C99C |
2_2_0043C99C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0041DA05 |
2_2_0041DA05 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00436A38 |
2_2_00436A38 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00444AF0 |
2_2_00444AF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0043CBCB |
2_2_0043CBCB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00451BAB |
2_2_00451BAB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00425CA8 |
2_2_00425CA8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00435DB6 |
2_2_00435DB6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0043CE28 |
2_2_0043CE28 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: String function: 0043307B appears 41 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: String function: 00402073 appears 50 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: String function: 00433700 appears 54 times |
|
Source: file.exe |
Binary or memory string: OriginalFilename vs file.exe |
Source: file.exe, 00000001.00000002.554923464.0000018FF8B19000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs file.exe |
Source: file.exe, 00000001.00000002.555430907.0000018FF8E60000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameCEMENT.dll. vs file.exe |
Source: file.exe, 00000001.00000002.550087026.0000018F8008D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCEMENT.dll. vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilenameNBB872.exe. vs file.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, |
2_2_0041B4C9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, |
2_2_0041B4C9 |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0044D0F9 FindFirstFileExA, |
2_2_0044D0F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
2_2_0040B0AA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
2_2_0040B2B1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW, |
2_2_00418650 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
2_2_0040B8C7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
2_2_00408909 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
2_2_0041AC0A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
2_2_00408D1B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
2_2_00407E80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00406EB0 FindFirstFileW,FindNextFileW, |
2_2_00406EB0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, |
2_2_0041B4C9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00433452 SetUnhandledExceptionFilter, |
2_2_00433452 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00433304 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_0043A3F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_0043A3F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: 2_2_004338CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_004338CC |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 457000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46F000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 475000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 477000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47C000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 10E4008 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW, |
2_2_0044716D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
2_2_00450558 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: EnumSystemLocalesW, |
2_2_004507D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: EnumSystemLocalesW, |
2_2_0045081B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: EnumSystemLocalesW, |
2_2_004508B6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
2_2_00450943 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW, |
2_2_00450B93 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: EnumSystemLocalesW, |
2_2_00446C84 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
2_2_00450CBC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoW, |
2_2_00450DC3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetLocaleInfoA, |
2_2_0040EE14 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
2_2_00450E90 |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR |