Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289517050.000000001DD50000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000003.862518902.00000000012F1000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289680896.000000001DDC6000.00000004.00000001.sdmp | String found in binary or memory: http://SFk55itrh2ylIByRGIl.net |
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp | String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0 |
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp | String found in binary or memory: http://brimaq.com |
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp | String found in binary or memory: http://cWlbEv.com |
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp | String found in binary or memory: http://cps.letsencrypt.org0 |
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp | String found in binary or memory: http://cps.root-x1.letsencrypt.org0 |
Source: RegAsm.exe, 00000014.00000002.1283640842.000000000125F000.00000004.00000020.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp | String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0 |
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp | String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0 |
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp | String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0? |
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp | String found in binary or memory: http://mail.brimaq.com |
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.pki.goog/gsr202 |
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.pki.goog/gts1o1core0 |
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp | String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0 |
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp | String found in binary or memory: http://pki.goog/gsrr |
Source: RegAsm.exe, 00000014.00000002.1282624893.0000000000E63000.00000004.00000001.sdmp | String found in binary or memory: http://r3.i.l |
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp | String found in binary or memory: http://r3.i.lencr.org/0# |
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp | String found in binary or memory: http://r3.o.lencr.org0 |
Source: RegAsm.exe, 00000014.00000002.1283789594.00000000012A4000.00000004.00000001.sdmp | String found in binary or memory: http://x1.c.lencr.org/0 |
Source: RegAsm.exe, 00000014.00000002.1283789594.00000000012A4000.00000004.00000001.sdmp | String found in binary or memory: http://x1.i.lencr.org/0 |
Source: RegAsm.exe, 00000014.00000002.1282624893.0000000000E63000.00000004.00000001.sdmp | String found in binary or memory: http://x1.kx |
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp | String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/) |
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp | String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/q5t04a04 |
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp | String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/g |
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/ |
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVk |
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVknc |
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVkwininet.dllMozilla/5 |
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp | String found in binary or memory: https://pki.goog/repository/0 |
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CD2B8E8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CD25660 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CD26D80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDB2D50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDB2618 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDB1FE0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDBDF68 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDBAB70 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDBC320 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDBEE88 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDBF7C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDF6C84 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDF0040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDFFA40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDF3620 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDFC220 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDF9368 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1D8B47A0 |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_00409055 push ss; ret |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_0040B45D push ss; iretd |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_004090A4 push ss; ret |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_00406151 push ss; iretd |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_00407566 push edi; ret |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_00408D20 push ss; iretd |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_00409184 push ss; ret |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_00407E4C push ss; iretd |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_0040B657 push ebp; ret |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_0040BE67 push ss; iretd |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_00409A90 push ss; iretd |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_0040BEAF push ss; iretd |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_00409B6A push ss; iretd |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Code function: 0_2_022573AB push es; retf |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_00F0B424 push edx; ret |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDB0027 push eax; retf |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1CDB7A37 push edi; retn 0000h |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1D8BB9A1 pushfd ; retf |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 20_2_1D8BBB6F pushfd ; retf |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX |
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1U3UTP2E9N-KTYQTSUDKBYXSCSQIOJWVKWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO |
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE}[@W |
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp | Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | RDTSC instruction interceptor: First address: 000000000225916B second address: 000000000225916B instructions: |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | RDTSC instruction interceptor: First address: 000000000225AD54 second address: 000000000225AD54 instructions: |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | RDTSC instruction interceptor: First address: 000000000225621F second address: 000000000225621F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FA25E20Bh 0x00000013 xor eax, 8D2E0BD9h 0x00000018 xor eax, B706CE67h 0x0000001d add eax, 3FF2D84Ch 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB080D17B53h 0x0000002e popad 0x0000002f call 00007FB080D1489Ch 0x00000034 lfence 0x00000037 rdtsc |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | RDTSC instruction interceptor: First address: 00000000022571FE second address: 00000000022571FE instructions: |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | RDTSC instruction interceptor: First address: 000000000225441C second address: 000000000225441C instructions: |
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe | RDTSC instruction interceptor: First address: 0000000002254C41 second address: 0000000002254CD8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add ebx, E4F5C3BBh 0x00000009 xor ebx, F04BE065h 0x0000000f push ebx 0x00000010 mov ebx, dword ptr [ebp+00000269h] 0x00000016 mov dword ptr [ebp+0000027Dh], edi 0x0000001c mov edi, 6EA3B468h 0x00000021 cmp edx, eax 0x00000023 cmp ecx, ecx 0x00000025 xor edi, CF0FEDB9h 0x0000002b xor edi, 3ACEA381h 0x00000031 xor edi, 9B62FA50h 0x00000037 jmp 00007FB080A5394Ah 0x00000039 pushad 0x0000003a mov esi, 0000005Fh 0x0000003f rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 0000000000F0621F second address: 0000000000F0621F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FA25E20Bh 0x00000013 xor eax, 8D2E0BD9h 0x00000018 xor eax, B706CE67h 0x0000001d add eax, 3FF2D84Ch 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB080D17B53h 0x0000002e popad 0x0000002f call 00007FB080D1489Ch 0x00000034 lfence 0x00000037 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | RDTSC instruction interceptor: First address: 0000000000F03CA3 second address: 0000000000F03CA3 instructions: |
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVkwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko |
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe}[@W |
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll |
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW |
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW} |
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp | Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |