Source: https://feighminoritsjda.shop/ |
Avira URL Cloud: Label: malware |
Source: marathonbeedksow.shop |
Avira URL Cloud: Label: malware |
Source: https://richardflorespoew.shop/api |
Avira URL Cloud: Label: malware |
Source: https://marathonbeedksow.shop/ |
Avira URL Cloud: Label: malware |
Source: feighminoritsjda.shop |
Avira URL Cloud: Label: malware |
Source: https://feighminoritsjda.shop/% |
Avira URL Cloud: Label: malware |
Source: https://strwawrunnygjwu.shop/api |
Avira URL Cloud: Label: malware |
Source: backcreammykiel.shop |
Avira URL Cloud: Label: malware |
Source: https://justifycanddidatewd.shop/api |
Avira URL Cloud: Label: malware |
Source: https://raiseboltskdlwpow.shop/api |
Avira URL Cloud: Label: malware |
Source: 0.2.1Gvue8ItW8.exe.b90000.0.unpack |
Malware Configuration Extractor: LummaC {"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@SEFYALUV"} |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: richardflorespoew.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: strwawrunnygjwu.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: justifycanddidatewd.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: raiseboltskdlwpow.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: falseaudiencekd.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: pleasurenarrowsdla.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: feighminoritsjda.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: marathonbeedksow.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: backcreammykiel.shop |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: lid=%s&j=%s&ver=4.0 |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: TeslaBrowser/5.5 |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: - Screen Resoluton: |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: - Physical Installed Memory: |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: Workgroup: - |
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String decryptor: LPnhqo--@SEFYALUV |
Source: 1Gvue8ItW8.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp dword ptr [ebx+edi*8], 22D223F1h |
1_2_0043878E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, dword ptr [esi+04h] |
1_2_004389A3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp+00000888h] |
1_2_0041E274 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov word ptr [esi], ax |
1_2_00420210 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then jmp eax |
1_2_0041F2E1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then lea eax, dword ptr [edi+04h] |
1_2_00421288 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then push esi |
1_2_00416556 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then jmp ecx |
1_2_0043857C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, dword ptr [esp+04h] |
1_2_0041C530 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
1_2_004165D4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esi+28h] |
1_2_004275B6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then movzx edi, byte ptr [ecx+esi] |
1_2_00403630 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp byte ptr [ecx], 00000000h |
1_2_004146A5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov edi, ebx |
1_2_00437740 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov esi, dword ptr [esp+60h] |
1_2_004177BA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, dword ptr [esp+60h] |
1_2_004177BA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp+00000238h] |
1_2_004138FD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then jmp eax |
1_2_00439899 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ebx, dword ptr [edi+04h] |
1_2_00424920 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then inc ebx |
1_2_004159F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h |
1_2_0041FA7A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, dword ptr [esp] |
1_2_00422AD1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov edx, eax |
1_2_0041CB1E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp+00000238h] |
1_2_00410B28 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, edi |
1_2_00424BC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [edi], al |
1_2_00426C18 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp+00000148h] |
1_2_00413C3A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h |
1_2_00415E0B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov word ptr [eax], cx |
1_2_00415E18 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
1_2_0041FE30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then movsx eax, byte ptr [esi+ecx] |
1_2_0040CEC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [edi], 0000002Bh |
1_2_00425F08 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [edi], al |
1_2_00426FB0 |
Source: Traffic |
Snort IDS: 2053812 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (backcreammykiel .shop) 192.168.2.4:53429 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2053682 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop) 192.168.2.4:58922 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2053680 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop) 192.168.2.4:60118 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2053678 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop) 192.168.2.4:59335 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2053676 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop) 192.168.2.4:53223 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2053674 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop) 192.168.2.4:64289 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2053672 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop) 192.168.2.4:64375 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2053670 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop) 192.168.2.4:59976 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2053668 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop) 192.168.2.4:60066 -> 1.1.1.1:53 |
Source: Malware configuration extractor |
URLs: richardflorespoew.shop |
Source: Malware configuration extractor |
URLs: strwawrunnygjwu.shop |
Source: Malware configuration extractor |
URLs: justifycanddidatewd.shop |
Source: Malware configuration extractor |
URLs: raiseboltskdlwpow.shop |
Source: Malware configuration extractor |
URLs: falseaudiencekd.shop |
Source: Malware configuration extractor |
URLs: pleasurenarrowsdla.shop |
Source: Malware configuration extractor |
URLs: feighminoritsjda.shop |
Source: Malware configuration extractor |
URLs: marathonbeedksow.shop |
Source: Malware configuration extractor |
URLs: backcreammykiel.shop |
Source: unknown |
DNS traffic detected: query: feighminoritsjda.shop replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: justifycanddidatewd.shop replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: falseaudiencekd.shop replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: pleasurenarrowsdla.shop replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: richardflorespoew.shop replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: backcreammykiel.shop replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: marathonbeedksow.shop replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: strwawrunnygjwu.shop replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: raiseboltskdlwpow.shop replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: backcreammykiel.shop |
Source: global traffic |
DNS traffic detected: DNS query: marathonbeedksow.shop |
Source: global traffic |
DNS traffic detected: DNS query: feighminoritsjda.shop |
Source: global traffic |
DNS traffic detected: DNS query: pleasurenarrowsdla.shop |
Source: global traffic |
DNS traffic detected: DNS query: falseaudiencekd.shop |
Source: global traffic |
DNS traffic detected: DNS query: raiseboltskdlwpow.shop |
Source: global traffic |
DNS traffic detected: DNS query: justifycanddidatewd.shop |
Source: global traffic |
DNS traffic detected: DNS query: strwawrunnygjwu.shop |
Source: global traffic |
DNS traffic detected: DNS query: richardflorespoew.shop |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://crl.entrust.net/ts1ca.crl0 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://ocsp.entrust.net02 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: Amcache.hve.4.dr |
String found in binary or memory: http://upx.sf.net |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: http://www.entrust.net/rpa03 |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://falseaudiencekd.shop/ |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://feighminoritsjda.shop/ |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://feighminoritsjda.shop/% |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://justifycanddidatewd.shop/% |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://justifycanddidatewd.shop/api |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://marathonbeedksow.shop/ |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://raiseboltskdlwpow.shop/ |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://raiseboltskdlwpow.shop/api |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://raiseboltskdlwpow.shop/apib |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://richardflorespoew.shop/ |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://richardflorespoew.shop/:W= |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1660995734.0000000000B53000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://richardflorespoew.shop/api |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://strwawrunnygjwu.shop/ |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://strwawrunnygjwu.shop/api |
Source: 1Gvue8ItW8.exe |
String found in binary or memory: https://www.entrust.net/rpa0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0042EAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
1_2_0042EAD0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0042EAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
1_2_0042EAD0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0042F61A GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, |
1_2_0042F61A |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BA1880 |
0_2_00BA1880 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BAD2CE |
0_2_00BAD2CE |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00B97A00 |
0_2_00B97A00 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BB1CA0 |
0_2_00BB1CA0 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BA95A9 |
0_2_00BA95A9 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BB3DC6 |
0_2_00BB3DC6 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BA464E |
0_2_00BA464E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0043A090 |
1_2_0043A090 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0043C0B0 |
1_2_0043C0B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00420210 |
1_2_00420210 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0041F2E1 |
1_2_0041F2E1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00421288 |
1_2_00421288 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00408340 |
1_2_00408340 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0043A310 |
1_2_0043A310 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0042D33A |
1_2_0042D33A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0042B3F9 |
1_2_0042B3F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00404450 |
1_2_00404450 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00434400 |
1_2_00434400 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00429500 |
1_2_00429500 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0043A5C0 |
1_2_0043A5C0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_004165D4 |
1_2_004165D4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_004225E3 |
1_2_004225E3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00406630 |
1_2_00406630 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0041D6F0 |
1_2_0041D6F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0042D73D |
1_2_0042D73D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00410810 |
1_2_00410810 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0042B8B3 |
1_2_0042B8B3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00420947 |
1_2_00420947 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00427973 |
1_2_00427973 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0042792E |
1_2_0042792E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_004039E0 |
1_2_004039E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00427986 |
1_2_00427986 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0043A990 |
1_2_0043A990 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00405994 |
1_2_00405994 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0041CB1E |
1_2_0041CB1E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00420BC0 |
1_2_00420BC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00424BC0 |
1_2_00424BC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00422CD6 |
1_2_00422CD6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0043BD90 |
1_2_0043BD90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00404E30 |
1_2_00404E30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00401F40 |
1_2_00401F40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00423F2F |
1_2_00423F2F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00436FA0 |
1_2_00436FA0 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: String function: 00B9CC80 appears 49 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: String function: 00408D40 appears 48 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: String function: 004109A0 appears 198 times |
|
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 268 |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@4/5@9/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7436 |
Source: 1Gvue8ItW8.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 1Gvue8ItW8.exe |
ReversingLabs: Detection: 73% |
Source: 1Gvue8ItW8.exe |
Virustotal: Detection: 59% |
Source: unknown |
Process created: C:\Users\user\Desktop\1Gvue8ItW8.exe "C:\Users\user\Desktop\1Gvue8ItW8.exe" |
|
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" |
|
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 268 |
|
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: 1Gvue8ItW8.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 1Gvue8ItW8.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 1Gvue8ItW8.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 1Gvue8ItW8.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 1Gvue8ItW8.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 1Gvue8ItW8.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 1Gvue8ItW8.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: 1Gvue8ItW8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 1Gvue8ItW8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 1Gvue8ItW8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 1Gvue8ItW8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 1Gvue8ItW8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00B9C56A push ecx; ret |
0_2_00B9C57D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00442101 push 0000007Bh; retf |
1_2_00442103 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_004422EE push cs; retf |
1_2_004422EF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0043F35B pushad ; iretd |
1_2_0043F369 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00442386 push ebp; iretd |
1_2_00442387 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_004426F6 push esp; iretd |
1_2_004426E1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_004426F6 push es; retf |
1_2_00442709 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00441689 push D379FC65h; retf |
1_2_0044168E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_00442692 push esp; iretd |
1_2_004426E1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 1_2_0044173B push 6E8C8D5Fh; ret |
1_2_00441745 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.4.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.4.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.4.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.4.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc |
Source: Amcache.hve.4.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.4.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.4.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.4.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.4.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.4.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.4.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.4.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.4.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.4.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.4.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BA0943 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00BA0943 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BA6C75 mov ecx, dword ptr fs:[00000030h] |
0_2_00BA6C75 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BADFC5 mov eax, dword ptr fs:[00000030h] |
0_2_00BADFC5 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00BA0943 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00BA0943 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00B9CA5E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00B9CA5E |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00B9CBBA SetUnhandledExceptionFilter, |
0_2_00B9CBBA |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00B9CCF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00B9CCF3 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_009D018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, |
0_2_009D018D |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: richardflorespoew.shop |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: strwawrunnygjwu.shop |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: justifycanddidatewd.shop |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: raiseboltskdlwpow.shop |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: falseaudiencekd.shop |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: pleasurenarrowsdla.shop |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: feighminoritsjda.shop |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: marathonbeedksow.shop |
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: backcreammykiel.shop |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 87B008 |
Jump to behavior |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: GetLocaleInfoW, |
0_2_00BB2855 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: EnumSystemLocalesW, |
0_2_00BAA198 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: GetACP,IsValidCodePage,GetLocaleInfoW, |
0_2_00BB21EF |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_00BB297E |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: GetLocaleInfoW, |
0_2_00BB2A84 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: GetLocaleInfoW, |
0_2_00BB23EA |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00BB2B53 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: EnumSystemLocalesW, |
0_2_00BB2491 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: EnumSystemLocalesW, |
0_2_00BB24DC |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: EnumSystemLocalesW, |
0_2_00BB2577 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: GetLocaleInfoW, |
0_2_00BAA6BE |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00BB2602 |
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe |
Code function: 0_2_00B9C954 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00B9C954 |
Source: Amcache.hve.4.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.4.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.4.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.4.dr |
Binary or memory string: MsMpEng.exe |