Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp | String found in binary or memory: http://kBTuTq.com |
Source: RegAsm.exe | String found in binary or memory: https://onedrive.live.com/download?cid=876616565B0E44B1&resid=876616565B0E44B1%213215&authkey=AC2zGE |
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00411464 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00410C71 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00411817 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00411016 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_004114E6 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00410CF8 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_0041108A |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_004110AC |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_0041156A |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_0040411C |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_0041191C |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00411133 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_004115F5 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_0041199B |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00410E05 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00411237 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_004112D0 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00410E88 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_0041134F |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00410B5E |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00410F06 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_0041170E |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_004113D2 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00410BF4 |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00410F8F |
Source: C:\Users\user\Desktop\payment.exe | Code function: 0_2_00411796 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056D7F2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_1CF247B2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_1CF2D6D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_1CF24827 |
Source: unknown | Process created: C:\Users\user\Desktop\payment.exe 'C:\Users\user\Desktop\payment.exe' |
Source: unknown | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\payment.exe' |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\payment.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\payment.exe' |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00567050 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056B050 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056705C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056B05C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00568058 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00565058 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00566058 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056B044 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00566040 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056A040 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056804C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056504C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056604C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056A04C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00567049 push di; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00567074 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056B074 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00568070 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00565070 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00566070 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056807C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056607C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056507C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056A078 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056A066 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00568064 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00565064 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00566064 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056A06C push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00567068 push edi; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056A016 push edi; ret |
Source: C:\Users\user\Desktop\payment.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\payment.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\payment.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 00000000004468FB second address: 00000000004468FB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF4A85B8858h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 jmp 00007FF4A85B8896h 0x00000023 test dx, bx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FF4A85B87ADh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp al, bl 0x00000033 push ecx 0x00000034 test ebx, eax 0x00000036 test cx, ax 0x00000039 call 00007FF4A85B891Ah 0x0000003e call 00007FF4A85B8868h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 00000000004414CD second address: 0000000000441549 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b mov ah, D8h 0x0000000d cmp ah, FFFFFFD8h 0x00000010 jne 00007FF4A85BC575h 0x00000016 popad 0x00000017 jmp 00007FF4A85B8896h 0x00000019 test al, cl 0x0000001b mov esi, 1A100000h 0x00000020 sub esi, 00001000h 0x00000026 push 00000004h 0x00000028 push 00003000h 0x0000002d mov dword ptr [ebp+64h], esi 0x00000030 mov ebx, ebp 0x00000032 pushad 0x00000033 mov ecx, 000000B2h 0x00000038 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 0000000000441CC9 second address: 0000000000441CDC instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push 0003E800h 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 000000000044215A second address: 000000000044215A instructions: |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 00000000004452BD second address: 00000000004452BD instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 0000000000565193 second address: 0000000000565193 instructions: |
Source: C:\Users\user\Desktop\payment.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\payment.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 000000000044C4E9 second address: 000000000044C664 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007FF4A886B5AAh 0x00000005 test dl, al 0x00000007 jmp 00007FF4A886B5A6h 0x00000009 test bl, al 0x0000000b jmp 00007FF4A886B5AAh 0x0000000d cmp ecx, edx 0x0000000f jmp 00007FF4A886B5A6h 0x00000011 cmp cl, dl 0x00000013 jmp 00007FF4A886B5AAh 0x00000015 pushad 0x00000016 mov ebx, 00000057h 0x0000001b rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 000000000044C664 second address: 000000000044C119 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, 00000539h 0x00000008 jmp 00007FF4A85B8896h 0x0000000a test ax, ax 0x0000000d mov ecx, dword ptr [ebp+1Ch] 0x00000010 jmp 00007FF4A85B8896h 0x00000012 cld 0x00000013 mov edx, 8802EDACh 0x00000018 call 00007FF4A85B6F2Eh 0x0000001d push esi 0x0000001e jmp 00007FF4A85B889Ah 0x00000020 test bl, bl 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FF4A85B889Ah 0x00000026 cmp dh, ah 0x00000028 cmp eax, 00000539h 0x0000002d jne 00007FF4A85B8A8Fh 0x00000033 jmp 00007FF4A85B8896h 0x00000035 test dh, 0000007Eh 0x00000038 push 6DDB9555h 0x0000003d call 00007FF4A85B98FFh 0x00000042 mov eax, dword ptr fs:[00000030h] 0x00000048 jmp 00007FF4A85B8896h 0x0000004a test bl, al 0x0000004c mov eax, dword ptr [eax+0Ch] 0x0000004f mov eax, dword ptr [eax+14h] 0x00000052 mov ecx, dword ptr [eax] 0x00000054 mov eax, ecx 0x00000056 jmp 00007FF4A85B889Ah 0x00000058 cmp ecx, edx 0x0000005a jmp 00007FF4A85B88F4h 0x0000005f jmp 00007FF4A85B8896h 0x00000061 pushad 0x00000062 mov ecx, 00000016h 0x00000067 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 000000000044C119 second address: 000000000044C304 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, dword ptr [eax+28h] 0x00000006 jmp 00007FF4A886B5AAh 0x00000008 test dl, al 0x0000000a cmp ebx, 00000000h 0x0000000d je 00007FF4A886B610h 0x00000013 push ebx 0x00000014 call 00007FF4A886B6A3h 0x00000019 jmp 00007FF4A886B5A6h 0x0000001b pushad 0x0000001c mov ecx, 00000025h 0x00000021 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 00000000004468FB second address: 00000000004468FB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF4A85B8858h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 jmp 00007FF4A85B8896h 0x00000023 test dx, bx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FF4A85B87ADh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp al, bl 0x00000033 push ecx 0x00000034 test ebx, eax 0x00000036 test cx, ax 0x00000039 call 00007FF4A85B891Ah 0x0000003e call 00007FF4A85B8868h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 0000000000446DCA second address: 0000000000446DCA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF4A8871918h 0x0000001d popad 0x0000001e call 00007FF4A886B655h 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 00000000004414CD second address: 0000000000441549 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b mov ah, D8h 0x0000000d cmp ah, FFFFFFD8h 0x00000010 jne 00007FF4A85BC575h 0x00000016 popad 0x00000017 jmp 00007FF4A85B8896h 0x00000019 test al, cl 0x0000001b mov esi, 1A100000h 0x00000020 sub esi, 00001000h 0x00000026 push 00000004h 0x00000028 push 00003000h 0x0000002d mov dword ptr [ebp+64h], esi 0x00000030 mov ebx, ebp 0x00000032 pushad 0x00000033 mov ecx, 000000B2h 0x00000038 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 000000000044F427 second address: 000000000044F530 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [eax+10h], 00000000h 0x0000000f jne 00007FF4A886B98Dh 0x00000015 jmp 00007FF4A886B5A6h 0x00000017 test ax, 0000F517h 0x0000001b cmp dword ptr [eax+14h], 00000000h 0x0000001f jne 00007FF4A886B939h 0x00000025 cmp dword ptr [eax+18h], 00000000h 0x00000029 jne 00007FF4A886B92Fh 0x0000002f jmp 00007FF4A886B5A6h 0x00000031 cmp bx, dx 0x00000034 pop eax 0x00000035 jmp 00007FF4A886B5A6h 0x00000037 pushad 0x00000038 mov eax, 00000020h 0x0000003d rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 0000000000441CC9 second address: 0000000000441CDC instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push 0003E800h 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 000000000044215A second address: 000000000044215A instructions: |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 00000000004452BD second address: 00000000004452BD instructions: |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 000000000044608B second address: 0000000000446102 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test bx, ax 0x0000000e cmp dword ptr [esp+08h], 0Ah 0x00000013 jg 00007FF4A886B5E2h 0x00000019 test ebx, edx 0x0000001b cmp ecx, 70DD50C1h 0x00000021 jmp 00007FF4A886E112h 0x00000026 call 00007FF4A88689FFh 0x0000002b pop eax 0x0000002c pushad 0x0000002d lfence 0x00000030 rdtsc |
Source: C:\Users\user\Desktop\payment.exe | RDTSC instruction interceptor: First address: 0000000000446102 second address: 00000000004497C4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push edi 0x0000000c cmp bh, FFFFFF83h 0x0000000f push eax 0x00000010 test ax, ax 0x00000013 call 00007FF4A85BBE67h 0x00000018 jmp 00007FF4A85B889Ah 0x0000001a test bh, bh 0x0000001c jmp 00007FF4A85B8896h 0x0000001e pushad 0x0000001f mov ecx, 00000026h 0x00000024 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 000000000056C4E9 second address: 000000000056C664 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007FF4A886B5AAh 0x00000005 test dl, al 0x00000007 jmp 00007FF4A886B5A6h 0x00000009 test bl, al 0x0000000b jmp 00007FF4A886B5AAh 0x0000000d cmp ecx, edx 0x0000000f jmp 00007FF4A886B5A6h 0x00000011 cmp cl, dl 0x00000013 jmp 00007FF4A886B5AAh 0x00000015 pushad 0x00000016 mov ebx, 00000057h 0x0000001b rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 000000000056C664 second address: 000000000056C119 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, 00000539h 0x00000008 jmp 00007FF4A85B8896h 0x0000000a test ax, ax 0x0000000d mov ecx, dword ptr [ebp+1Ch] 0x00000010 jmp 00007FF4A85B8896h 0x00000012 cld 0x00000013 mov edx, 8802EDACh 0x00000018 call 00007FF4A85B6F2Eh 0x0000001d push esi 0x0000001e jmp 00007FF4A85B889Ah 0x00000020 test bl, bl 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FF4A85B889Ah 0x00000026 cmp dh, ah 0x00000028 cmp eax, 00000539h 0x0000002d jne 00007FF4A85B8A8Fh 0x00000033 jmp 00007FF4A85B8896h 0x00000035 test dh, 0000007Eh 0x00000038 push 6DDB9555h 0x0000003d call 00007FF4A85B98FFh 0x00000042 mov eax, dword ptr fs:[00000030h] 0x00000048 jmp 00007FF4A85B8896h 0x0000004a test bl, al 0x0000004c mov eax, dword ptr [eax+0Ch] 0x0000004f mov eax, dword ptr [eax+14h] 0x00000052 mov ecx, dword ptr [eax] 0x00000054 mov eax, ecx 0x00000056 jmp 00007FF4A85B889Ah 0x00000058 cmp ecx, edx 0x0000005a jmp 00007FF4A85B88F4h 0x0000005f jmp 00007FF4A85B8896h 0x00000061 pushad 0x00000062 mov ecx, 00000016h 0x00000067 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 000000000056C119 second address: 000000000056C304 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, dword ptr [eax+28h] 0x00000006 jmp 00007FF4A886B5AAh 0x00000008 test dl, al 0x0000000a cmp ebx, 00000000h 0x0000000d je 00007FF4A886B610h 0x00000013 push ebx 0x00000014 call 00007FF4A886B6A3h 0x00000019 jmp 00007FF4A886B5A6h 0x0000001b pushad 0x0000001c mov ecx, 00000025h 0x00000021 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 0000000000566DCA second address: 0000000000566DCA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF4A85BEC08h 0x0000001d popad 0x0000001e call 00007FF4A85B8945h 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 0000000000561549 second address: 000000000056BD6F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add ebx, 64h 0x00000006 push ebx 0x00000007 jmp 00007FF4A886B5AAh 0x00000009 push si 0x0000000b mov si, 323Dh 0x0000000f pop si 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+68h], 00000000h 0x0000001a add ebx, 04h 0x0000001d push ebx 0x0000001e cmp bx, ax 0x00000021 push FFFFFFFFh 0x00000023 test cl, bl 0x00000025 call 00007FF4A8875976h 0x0000002a jmp 00007FF4A8868408h 0x0000002f call 00007FF4A886E6BDh 0x00000034 pop ebx 0x00000035 cmp dword ptr [ebx], 00000000h 0x00000038 jne 00007FF4A886B819h 0x0000003e jmp 00007FF4A886B5A6h 0x00000040 cmp cl, dl 0x00000042 jmp 00007FF4A886B5AAh 0x00000044 test cx, cx 0x00000047 jmp 00007FF4A886B5A6h 0x00000049 pushad 0x0000004a mov ecx, 00000077h 0x0000004f rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 000000000056F427 second address: 000000000056F530 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [eax+10h], 00000000h 0x0000000f jne 00007FF4A85B8C7Dh 0x00000015 jmp 00007FF4A85B8896h 0x00000017 test ax, 0000F517h 0x0000001b cmp dword ptr [eax+14h], 00000000h 0x0000001f jne 00007FF4A85B8C29h 0x00000025 cmp dword ptr [eax+18h], 00000000h 0x00000029 jne 00007FF4A85B8C1Fh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp bx, dx 0x00000034 pop eax 0x00000035 jmp 00007FF4A85B8896h 0x00000037 pushad 0x00000038 mov eax, 00000020h 0x0000003d rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 0000000000565193 second address: 0000000000565193 instructions: |
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: RegAsm.exe | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\Desktop\payment.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_005664EC mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_00566534 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056DC0F mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056AC3D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_0056BF85 mov eax, dword ptr fs:[00000030h] |
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp | Binary or memory string: &Program Manager |
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\payment.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\Desktop\payment.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.