Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR |
Source: | Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D56B2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbean) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*F source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: System.Drawing.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb\b) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbu source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: System.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB41F000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: Microsoft.VisualBasic.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Users\user\Desktop\.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Desktop\BDQfYL99b2.PDB@ source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: Microsoft.VisualBasic.pdbW source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.pdbp source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: mscorlib.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb0. source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: System.Drawing.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: mscorlib.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdbn source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: System.Core.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: izpC:\Users\user\Desktop\BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 3_2_00409253 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, | 3_2_0041C291 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, | 3_2_0040C34D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 3_2_00409665 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0044E879 FindFirstFileExA, | 3_2_0044E879 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, | 3_2_0040880C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040783C FindFirstFileW,FindNextFileW, | 3_2_0040783C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, | 3_2_00419AF5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, | 3_2_0040BB30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, | 3_2_0040BD37 |
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gp |
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gp. |
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gp/ |
Source: BDQfYL99b2.exe, 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpG |
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpal |
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpc |
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpl |
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpr& |
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpr2 |
Source: Amcache.hve.6.dr | String found in binary or memory: http://upx.sf.net |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR |
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD34714D30 | 0_2_00007FFD34714D30 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD34701500 | 0_2_00007FFD34701500 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD3470BDE9 | 0_2_00007FFD3470BDE9 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD34708EF8 | 0_2_00007FFD34708EF8 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD34703B18 | 0_2_00007FFD34703B18 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD34701800 | 0_2_00007FFD34701800 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD347043EC | 0_2_00007FFD347043EC |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD347014FD | 0_2_00007FFD347014FD |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD34714D89 | 0_2_00007FFD34714D89 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD34708F3F | 0_2_00007FFD34708F3F |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD3471079A | 0_2_00007FFD3471079A |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Code function: 0_2_00007FFD347E00FB | 0_2_00007FFD347E00FB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0043E0CC | 3_2_0043E0CC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0041F0FA | 3_2_0041F0FA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00454159 | 3_2_00454159 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00438168 | 3_2_00438168 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_004461F0 | 3_2_004461F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0043E2FB | 3_2_0043E2FB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0045332B | 3_2_0045332B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0042739D | 3_2_0042739D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_004374E6 | 3_2_004374E6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0043E558 | 3_2_0043E558 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00438770 | 3_2_00438770 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_004378FE | 3_2_004378FE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00433946 | 3_2_00433946 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0044D9C9 | 3_2_0044D9C9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00427A46 | 3_2_00427A46 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0041DB62 | 3_2_0041DB62 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00427BAF | 3_2_00427BAF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00437D33 | 3_2_00437D33 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00435E5E | 3_2_00435E5E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00426E0E | 3_2_00426E0E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0043DE9D | 3_2_0043DE9D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00413FCA | 3_2_00413FCA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00436FEA | 3_2_00436FEA |
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: rstrtmgr.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: | Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D56B2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbean) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*F source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: System.Drawing.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb\b) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbu source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: System.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB41F000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: Microsoft.VisualBasic.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Users\user\Desktop\.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Desktop\BDQfYL99b2.PDB@ source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: Microsoft.VisualBasic.pdbW source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.pdbp source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: mscorlib.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb0. source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: System.Drawing.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: mscorlib.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdbn source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.ni.pdb source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: System.Core.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr |
Source: | Binary string: izpC:\Users\user\Desktop\BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, | 3_2_0041CB50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, | 3_2_0041CB50 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 3_2_00409253 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, | 3_2_0041C291 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, | 3_2_0040C34D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 3_2_00409665 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0044E879 FindFirstFileExA, | 3_2_0044E879 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, | 3_2_0040880C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040783C FindFirstFileW,FindNextFileW, | 3_2_0040783C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, | 3_2_00419AF5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, | 3_2_0040BB30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, | 3_2_0040BD37 |
Source: Amcache.hve.6.dr | Binary or memory string: VMware |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: aspnet_wp.exe, 00000003.00000003.2173688836.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW{ |
Source: Amcache.hve.6.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.6.dr | Binary or memory string: VMware, Inc. |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: Amcache.hve.6.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.6.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.6.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.6.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr | Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20 |
Source: aspnet_wp.exe, 00000003.00000003.2173688836.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.6.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWARE |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: Amcache.hve.6.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMware SVGA II |
Source: Amcache.hve.6.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.6.dr | Binary or memory string: vmci.sys |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys |
Source: Amcache.hve.6.dr | Binary or memory string: vmci.syshbin` |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmware |
Source: Amcache.hve.6.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: Amcache.hve.6.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.6.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.6.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.6.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.6.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.6.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.6.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.6.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: Amcache.hve.6.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.6.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.6.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, | 3_2_0041CB50 |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000 | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 459000 | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 471000 | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 477000 | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 478000 | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000 | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47E000 | Jump to behavior |
Source: C:\Users\user\Desktop\BDQfYL99b2.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4BF4008 | Jump to behavior |
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Manager& |
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Managero |
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Managerj |
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Manager2 |
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Manager` |
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F07000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: |Program Manager| |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: GetLocaleInfoA, | 3_2_0040F8D1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: EnumSystemLocalesW, | 3_2_00452036 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, | 3_2_004520C3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: GetLocaleInfoW, | 3_2_00452313 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: EnumSystemLocalesW, | 3_2_00448404 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, | 3_2_0045243C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: GetLocaleInfoW, | 3_2_00452543 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, | 3_2_00452610 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: GetLocaleInfoW, | 3_2_004488ED |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, | 3_2_00451CD8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: EnumSystemLocalesW, | 3_2_00451F50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | Code function: EnumSystemLocalesW, | 3_2_00451F9B |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR |