Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: deadtrainingactioniw.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: qualificationjdwko.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: grandcommonyktsju.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: wordingnatturedowo.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: crisisrottenyjs.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: sweetcalcutangkdow.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: cooperatvassquaidmew.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: exuberanttjdkwo.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: crisisrottenyjs.xyz |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: lid=%s&j=%s&ver=4.0 |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: TeslaBrowser/5.5 |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: - Screen Resoluton: |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: - Physical Installed Memory: |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: Workgroup: - |
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp |
String decryptor: LPnhqo--@fondnesssw |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp dword ptr [esi+edx*8], 00D23749h |
3_2_00587090 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
3_2_00587090 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
3_2_00587090 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov word ptr [edi], ax |
3_2_00563F6C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then movzx eax, word ptr [edi+esi*4] |
3_2_00558170 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then lea eax, dword ptr [edi+04h] |
3_2_00571135 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp dword ptr [ecx+edx*8], 3BEBD150h |
3_2_00584934 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov edi, dword ptr [esi] |
3_2_005889DF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then movsx eax, byte ptr [esi+ecx] |
3_2_0055D1C0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
3_2_005891FB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp esi |
3_2_0058A192 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp byte ptr [edi+ebx+01h], 00000000h |
3_2_0056CA4C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h |
3_2_00563A7E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h |
3_2_00563A7A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp esi |
3_2_0058A260 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp edx |
3_2_00571A15 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov ecx, dword ptr [esp] |
3_2_00570239 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov eax, dword ptr [esi+40h] |
3_2_00577239 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
3_2_00586A90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov ecx, dword ptr [esp+04h] |
3_2_00566340 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 0850A6E6h |
3_2_0058BB40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp eax |
3_2_00573329 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp eax |
3_2_0056E3F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp edx |
3_2_00571BF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then inc ebx |
3_2_00565390 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov byte ptr [edi], al |
3_2_00575BB5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov byte ptr [edi], al |
3_2_005763BB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov byte ptr [edi], al |
3_2_0057644B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then inc eax |
3_2_00562470 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then xor eax, eax |
3_2_0056D413 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp dword ptr [esi+edx*8], B33E16A3h |
3_2_00586CC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov ecx, dword ptr [esp+00000890h] |
3_2_0056E4F4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov byte ptr [edi], al |
3_2_0057638D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp eax |
3_2_0056E490 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov edi, dword ptr [esp+5Ch] |
3_2_00566CB0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov ebx, dword ptr [edi+04h] |
3_2_00574D50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp eax |
3_2_00572D7E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp byte ptr [edi], 00000000h |
3_2_00562D60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov edi, dword ptr [esi+04h] |
3_2_00573517 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov word ptr [eax], cx |
3_2_0056551E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov eax, dword ptr [esi+04h] |
3_2_00563500 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h |
3_2_00563D28 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov eax, dword ptr [esi+04h] |
3_2_005635C0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp eax |
3_2_0056FDFC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov ebx, eax |
3_2_005535A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov eax, dword ptr [esi+40h] |
3_2_00577602 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then movzx eax, word ptr [edx] |
3_2_00587E00 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp esi |
3_2_0058A630 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov dword ptr [esp+24h], 0000005Ch |
3_2_00584695 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then movzx ebx, byte ptr [edx] |
3_2_00582680 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov ecx, dword ptr [esp+18h] |
3_2_0055FE8B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then jmp eax |
3_2_00551755 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov word ptr [edi], ax |
3_2_00564F78 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then movzx edi, byte ptr [ecx+esi] |
3_2_00553760 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then lea eax, dword ptr [eax+eax*4] |
3_2_00558F60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then or ebp, 04h |
3_2_0055171B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov byte ptr [edi], dl |
3_2_00576704 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov ecx, dword ptr [esp] |
3_2_00559F20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov byte ptr [edi], al |
3_2_00575FE4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then add ecx, 03h |
3_2_00573FBB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 4x nop then mov dword ptr [esi], ebp |
3_2_00551FA0 |
Source: Traffic |
Snort IDS: 2054125 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz) 192.168.2.9:50884 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2054131 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz) 192.168.2.9:50034 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2054129 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz) 192.168.2.9:61762 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2054127 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz) 192.168.2.9:55520 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2054123 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz) 192.168.2.9:51384 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2054121 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz) 192.168.2.9:55685 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2054119 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz) 192.168.2.9:57788 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2054117 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz) 192.168.2.9:58515 -> 1.1.1.1:53 |
Source: Malware configuration extractor |
URLs: deadtrainingactioniw.xyz |
Source: Malware configuration extractor |
URLs: qualificationjdwko.xyz |
Source: Malware configuration extractor |
URLs: grandcommonyktsju.xyz |
Source: Malware configuration extractor |
URLs: wordingnatturedowo.xyz |
Source: Malware configuration extractor |
URLs: crisisrottenyjs.xyz |
Source: Malware configuration extractor |
URLs: sweetcalcutangkdow.xyz |
Source: Malware configuration extractor |
URLs: cooperatvassquaidmew.xyz |
Source: Malware configuration extractor |
URLs: exuberanttjdkwo.xyz |
Source: Malware configuration extractor |
URLs: crisisrottenyjs.xyz |
Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cooperatvassquaidmew.xyz/ |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cooperatvassquaidmew.xyz/api |
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://crisisrottenyjs.xyz/api |
Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://deadtrainingactioniw.xyz/ |
Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://deadtrainingactioniw.xyz/0 |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://deadtrainingactioniw.xyz/api |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://exuberanttjdkwo.xyz/api |
Source: aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://grandcommonyktsju.xyz/ |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://grandcommonyktsju.xyz/api |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://grandcommonyktsju.xyz/apiz? |
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://qualificationjdwko.xyz/ |
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://qualificationjdwko.xyz/7 |
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://qualificationjdwko.xyz/A |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://qualificationjdwko.xyz/api |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://qualificationjdwko.xyz/apidO |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://qualificationjdwko.xyz/apizC |
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://sweetcalcutangkdow.xyz/ |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://sweetcalcutangkdow.xyz/api |
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://sweetcalcutangkdow.xyz/apiz9 |
Source: C:\Users\user\Desktop\Loader.exe |
Code function: 0_2_6D321090 |
0_2_6D321090 |
Source: C:\Users\user\Desktop\Loader.exe |
Code function: 0_2_6D323750 |
0_2_6D323750 |
Source: C:\Users\user\Desktop\Loader.exe |
Code function: 0_2_6D322ED0 |
0_2_6D322ED0 |
Source: C:\Users\user\Desktop\Loader.exe |
Code function: 0_2_6D32BC40 |
0_2_6D32BC40 |
Source: C:\Users\user\Desktop\Loader.exe |
Code function: 0_2_6D337715 |
0_2_6D337715 |
Source: C:\Users\user\Desktop\Loader.exe |
Code function: 0_2_6D3233E0 |
0_2_6D3233E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0055F070 |
3_2_0055F070 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00551000 |
3_2_00551000 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00587090 |
3_2_00587090 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00558170 |
3_2_00558170 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00567171 |
3_2_00567171 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00571135 |
3_2_00571135 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0058A192 |
3_2_0058A192 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_005749A0 |
3_2_005749A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0058C250 |
3_2_0058C250 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00555A40 |
3_2_00555A40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0056CA4C |
3_2_0056CA4C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0058A260 |
3_2_0058A260 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00571A15 |
3_2_00571A15 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00570239 |
3_2_00570239 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00553AA0 |
3_2_00553AA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00576BF9 |
3_2_00576BF9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00575BEA |
3_2_00575BEA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0056D413 |
3_2_0056D413 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00570C00 |
3_2_00570C00 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00556CB0 |
3_2_00556CB0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00566CB0 |
3_2_00566CB0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00554540 |
3_2_00554540 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00572D7E |
3_2_00572D7E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0056F511 |
3_2_0056F511 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00577DF3 |
3_2_00577DF3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0058A630 |
3_2_0058A630 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00554F50 |
3_2_00554F50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0058A740 |
3_2_0058A740 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_0058BF40 |
3_2_0058BF40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00558F60 |
3_2_00558F60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Code function: 3_2_00556780 |
3_2_00556780 |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 1340000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 30C0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 16B0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 56C0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 66C0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 67F0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 77F0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 7B40000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 8B40000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Memory allocated: 9B40000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe |
Code function: 0_2_6D323750 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, |
0_2_6D323750 |
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp |
String found in binary or memory: deadtrainingactioniw.xyz |
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp |
String found in binary or memory: qualificationjdwko.xyz |
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp |
String found in binary or memory: grandcommonyktsju.xyz |
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp |
String found in binary or memory: wordingnatturedowo.xyz |
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp |
String found in binary or memory: crisisrottenyjs.xyz |
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp |
String found in binary or memory: sweetcalcutangkdow.xyz |
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp |
String found in binary or memory: cooperatvassquaidmew.xyz |
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp |
String found in binary or memory: exuberanttjdkwo.xyz |