Source: AMPUTERE.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp |
String found in binary or memory: http://CFlLIU.com |
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: RegAsm.exe |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1YqpUxJBnjokc5FJGT-8XzuYbR97RtVG2 |
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: AMPUTERE.exe, 00000000.00000002.811048059.00000000005EA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107349 NtQueryInformationProcess, |
19_2_01107349 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01106E63 NtProtectVirtualMemory, |
19_2_01106E63 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_0110752F NtQueryInformationProcess, |
19_2_0110752F |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_0110755B NtQueryInformationProcess, |
19_2_0110755B |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_0110759F NtQueryInformationProcess, |
19_2_0110759F |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107583 NtQueryInformationProcess, |
19_2_01107583 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011075BB NtQueryInformationProcess, |
19_2_011075BB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011075E7 NtQueryInformationProcess, |
19_2_011075E7 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107417 NtQueryInformationProcess, |
19_2_01107417 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107437 NtQueryInformationProcess, |
19_2_01107437 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107457 NtQueryInformationProcess, |
19_2_01107457 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107477 NtQueryInformationProcess, |
19_2_01107477 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011074A0 NtQueryInformationProcess, |
19_2_011074A0 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011074DF NtQueryInformationProcess, |
19_2_011074DF |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_0110770C NtQueryInformationProcess, |
19_2_0110770C |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107747 NtQueryInformationProcess, |
19_2_01107747 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_0110777F NtQueryInformationProcess, |
19_2_0110777F |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107363 NtQueryInformationProcess, |
19_2_01107363 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107384 NtQueryInformationProcess, |
19_2_01107384 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011073B3 NtQueryInformationProcess, |
19_2_011073B3 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011073CB NtQueryInformationProcess, |
19_2_011073CB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011073EB NtQueryInformationProcess, |
19_2_011073EB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107603 NtQueryInformationProcess, |
19_2_01107603 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01106E22 NtProtectVirtualMemory, |
19_2_01106E22 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01106E47 NtProtectVirtualMemory, |
19_2_01106E47 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107663 NtQueryInformationProcess, |
19_2_01107663 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011076AB NtQueryInformationProcess, |
19_2_011076AB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011076CB NtQueryInformationProcess, |
19_2_011076CB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_1DC8B0BA NtQuerySystemInformation, |
19_2_1DC8B0BA |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_1DC8B089 NtQuerySystemInformation, |
19_2_1DC8B089 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409418 |
0_2_00409418 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A862 |
0_2_0040A862 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A078 |
0_2_0040A078 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A478 |
0_2_0040A478 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040943F |
0_2_0040943F |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409886 |
0_2_00409886 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_004094B0 |
0_2_004094B0 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A101 |
0_2_0040A101 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A50A |
0_2_0040A50A |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409D0C |
0_2_00409D0C |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409918 |
0_2_00409918 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409DED |
0_2_00409DED |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409588 |
0_2_00409588 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A193 |
0_2_0040A193 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A595 |
0_2_0040A595 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_004099A6 |
0_2_004099A6 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_004095BE |
0_2_004095BE |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409649 |
0_2_00409649 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A628 |
0_2_0040A628 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409A2A |
0_2_00409A2A |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409A2C |
0_2_00409A2C |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409E30 |
0_2_00409E30 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A2C0 |
0_2_0040A2C0 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409EC4 |
0_2_00409EC4 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_004096D5 |
0_2_004096D5 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A6FC |
0_2_0040A6FC |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A6B3 |
0_2_0040A6B3 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409ABB |
0_2_00409ABB |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A746 |
0_2_0040A746 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409B50 |
0_2_00409B50 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040A356 |
0_2_0040A356 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409F5F |
0_2_00409F5F |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409762 |
0_2_00409762 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409BE2 |
0_2_00409BE2 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00409FE9 |
0_2_00409FE9 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_004097F4 |
0_2_004097F4 |
Source: AMPUTERE.exe, 00000000.00000002.811248602.0000000002200000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs AMPUTERE.exe |
Source: AMPUTERE.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_1DC8AF3E AdjustTokenPrivileges, |
19_2_1DC8AF3E |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_1DC8AF07 AdjustTokenPrivileges, |
19_2_1DC8AF07 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\AMPUTERE.exe 'C:\Users\user\Desktop\AMPUTERE.exe' |
|
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\AMPUTERE.exe' |
|
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\AMPUTERE.exe' |
Jump to behavior |
Source: Yara match |
File source: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040306C push esi; iretd |
0_2_00403078 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040307A push esi; ret |
0_2_0040307C |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_004034DD push ebp; ret |
0_2_004034DE |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_004058EE push esi; ret |
0_2_00405918 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040888A push esi; ret |
0_2_0040888C |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_004071F6 push esi; retf |
0_2_0040723C |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_0040723D push esi; ret |
0_2_00407280 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Code function: 0_2_00404BEA push esi; iretd |
0_2_00404BEC |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01104B84 push dword ptr [ebp+77h]; ret |
19_2_01104B89 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01107384 push cs; retn EB1Ah |
19_2_011073A0 |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 00000000005261EC second address: 00000000005261EC instructions: |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 0000000000526246 second address: 0000000000526246 instructions: |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 0000000000526315 second address: 0000000000526315 instructions: |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 00000000005233AC second address: 00000000005233AC instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99848EE8F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dh, ch 0x00000020 add edi, edx 0x00000022 test ecx, ebx 0x00000024 dec ecx 0x00000025 jmp 00007F99848EE90Ah 0x00000027 test bl, bl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F99848EE8A5h 0x0000002e push ecx 0x0000002f jmp 00007F99848EE90Ah 0x00000031 cmp bh, ah 0x00000033 cmp ah, bh 0x00000035 call 00007F99848EE93Fh 0x0000003a call 00007F99848EE908h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 0000000000526BD4 second address: 0000000000526BD4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFB8h 0x0000000d jne 00007F99848EE922h 0x0000000f cmp ecx, 00002000h 0x00000015 jne 00007F99848EE7C6h 0x0000001b inc ecx 0x0000001c inc ebx 0x0000001d test cl, dl 0x0000001f cmp dword ptr [ebx], 9090C350h 0x00000025 jne 00007F99848EE926h 0x00000027 cmp edx, 257E6A7Fh 0x0000002d cmp edx, dword ptr [ebx] 0x0000002f jne 00007F99848EE916h 0x00000031 test dh, ch 0x00000033 cmp byte ptr [ebx], FFFFFFE8h 0x00000036 jne 00007F99848EE95Bh 0x00000038 cmp edi, 1B7EF1A7h 0x0000003e pushad 0x0000003f rdtsc |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 00000000005209F7 second address: 00000000005209F7 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001101F83 second address: 0000000001101F83 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 00000000005261EC second address: 00000000005261EC instructions: |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 0000000000526246 second address: 0000000000526246 instructions: |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 0000000000526315 second address: 0000000000526315 instructions: |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 00000000005233AC second address: 00000000005233AC instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99848EE8F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dh, ch 0x00000020 add edi, edx 0x00000022 test ecx, ebx 0x00000024 dec ecx 0x00000025 jmp 00007F99848EE90Ah 0x00000027 test bl, bl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F99848EE8A5h 0x0000002e push ecx 0x0000002f jmp 00007F99848EE90Ah 0x00000031 cmp bh, ah 0x00000033 cmp ah, bh 0x00000035 call 00007F99848EE93Fh 0x0000003a call 00007F99848EE908h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 00000000005235B0 second address: 00000000005235B0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99845B8528h 0x0000001d popad 0x0000001e jmp 00007F99845B565Ah 0x00000020 test ch, dh 0x00000022 call 00007F99845B568Bh 0x00000027 lfence 0x0000002a rdtsc |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 0000000000526BD4 second address: 0000000000526BD4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFB8h 0x0000000d jne 00007F99848EE922h 0x0000000f cmp ecx, 00002000h 0x00000015 jne 00007F99848EE7C6h 0x0000001b inc ecx 0x0000001c inc ebx 0x0000001d test cl, dl 0x0000001f cmp dword ptr [ebx], 9090C350h 0x00000025 jne 00007F99848EE926h 0x00000027 cmp edx, 257E6A7Fh 0x0000002d cmp edx, dword ptr [ebx] 0x0000002f jne 00007F99848EE916h 0x00000031 test dh, ch 0x00000033 cmp byte ptr [ebx], FFFFFFE8h 0x00000036 jne 00007F99848EE95Bh 0x00000038 cmp edi, 1B7EF1A7h 0x0000003e pushad 0x0000003f rdtsc |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
RDTSC instruction interceptor: First address: 00000000005209F7 second address: 00000000005209F7 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 00000000011035B0 second address: 00000000011035B0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99848F17D8h 0x0000001d popad 0x0000001e jmp 00007F99848EE90Ah 0x00000020 test ch, dh 0x00000022 call 00007F99848EE93Bh 0x00000027 lfence 0x0000002a rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001101F6C second address: 0000000001101F83 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007F99845B5BC9h 0x00000008 cmp dword ptr [edi+00000818h], 00000000h 0x0000000f je 00007F99845B5708h 0x00000015 test ah, ah 0x00000017 ret 0x00000018 cmp edx, A37443ABh 0x0000001e test edx, ecx 0x00000020 mov eax, dword ptr fs:[00000030h] 0x00000026 pushad 0x00000027 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001101F83 second address: 0000000001101F83 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772 |
Thread sleep time: -3210000s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Thread delayed: delay time: 30000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Thread delayed: delay time: 30000 |
Jump to behavior |
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: RegAsm.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\Desktop\AMPUTERE.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_0110690F mov eax, dword ptr fs:[00000030h] |
19_2_0110690F |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01106977 mov eax, dword ptr fs:[00000030h] |
19_2_01106977 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_011031DF mov eax, dword ptr fs:[00000030h] |
19_2_011031DF |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01106089 mov eax, dword ptr fs:[00000030h] |
19_2_01106089 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01105733 mov eax, dword ptr fs:[00000030h] |
19_2_01105733 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 19_2_01103200 mov eax, dword ptr fs:[00000030h] |
19_2_01103200 |
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY |