Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1541692
MD5: 31c4dc3c764474d495340d6aa688e639
SHA1: 208a17ba8dbf1cab0a603b2a175e115c1e5d6a72
SHA256: 6a159a3587508bfb504d2a7cf6fd993361316102d416182b10d5516232383d09
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: file.exe.2168.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["mobbipenju.store", "spirittunek.store", "dissapoiznw.store", "studennotediw.store", "clearancek.site", "eaglepawnoy.store", "licendfilteo.site", "bathdoomgaz.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for domain / URL
Source: bathdoomgaz.store Virustotal: Detection: 20% Perma Link
Source: spirittunek.store Virustotal: Detection: 21% Perma Link
Source: eaglepawnoy.store Virustotal: Detection: 20% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.store
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.store
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.store
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.store
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.store
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.store
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2205303096.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00B050FA
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00ACD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00ACD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_00B063B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00B099D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_00B0695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00ACFCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00AD0EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00B06094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00AD6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_00AFF030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_00AC1000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00B04040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_00AED1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00AD42FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00AE2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_00AE2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00AF23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00AF23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00AF23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00AF23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00AF23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_00AF23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_00ACA300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_00B064B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00AEE40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_00ADB410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_00AEC470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_00B01440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00ADD457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 0_2_00AC8590
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_00B07520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00AD6536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00AE9510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00AEE66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00AFB650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00AED7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_00B067EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_00B07710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00B05700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00AE28E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_00AC49A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_00B03920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_00ADD961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00AD1ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00AD1A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00B04A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00AC5A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00AF0B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00AD1BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00AD3BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_00ADDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_00ADDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00B09B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00AEAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_00AEAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00B09CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_00B09CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_00AECCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00AECCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_00AECCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_00AFFC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00AE7C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_00AEEC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00B08D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00AEDD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_00AEFD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_00AC6EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_00AD6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_00ACBEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00AD1E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_00AD4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00AE7E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00AE5E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_00AEAE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00AD6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00B05FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_00B07FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00B07FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_00ADFFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00AC8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00AE9F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00AFFF70

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:56553 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:51848 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:51966 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:59660 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:55266 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:57265 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:55038 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:64533 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49711 -> 104.102.49.254:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: bathdoomgaz.store
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2210825197.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211360977.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2210825197.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211360977.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2210825197.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211360977.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000002.2211125821.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.s
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8d
Source: file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2192560687.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211125821.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.st
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211125821.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=b
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/sticker
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&amp
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2192560687.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211125821.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/apii
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/5
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/M
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api5
Source: file.exe, 00000000.00000003.2192560687.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211246324.0000000001318000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apip
Source: file.exe, 00000000.00000003.2192560687.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211125821.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apiVn
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2210825197.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2211125821.00000000012F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2210825197.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000002.2211125821.00000000012F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900jA5Y
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2192560687.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211125821.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/765611997243319005n
Source: file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2210825197.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211360977.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2211341731.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192709992.0000000001359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2192534115.0000000001363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2192810225.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211288798.0000000001327000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD0228 0_2_00AD0228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD 0_2_00C9A0FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0A0D0 0_2_00B0A0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD2030 0_2_00AD2030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC1000 0_2_00AC1000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9F01D 0_2_00C9F01D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B04040 0_2_00B04040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACE1A0 0_2_00ACE1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC71F0 0_2_00AC71F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC5160 0_2_00AC5160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC12F7 0_2_00AC12F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF82D0 0_2_00AF82D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF12D0 0_2_00AF12D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACB3A0 0_2_00ACB3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC13A3 0_2_00AC13A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF23E0 0_2_00AF23E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C8E35A 0_2_00C8E35A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACA300 0_2_00ACA300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD4487 0_2_00AD4487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD049B 0_2_00AD049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF64F0 0_2_00AF64F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C934A1 0_2_00C934A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C984B9 0_2_00C984B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AEC470 0_2_00AEC470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC35B0 0_2_00AC35B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC8590 0_2_00AC8590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ADC5F0 0_2_00ADC5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9D5BF 0_2_00C9D5BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B086F0 0_2_00B086F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFF620 0_2_00AFF620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B08652 0_2_00B08652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC164F 0_2_00AC164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFE8A0 0_2_00AFE8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFB8C0 0_2_00AFB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9187E 0_2_00C9187E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF1860 0_2_00AF1860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C2A81E 0_2_00C2A81E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACA850 0_2_00ACA850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C7F9CC 0_2_00C7F9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C969C4 0_2_00C969C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B089A0 0_2_00B089A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AE098B 0_2_00AE098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B07AB0 0_2_00B07AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B08A80 0_2_00B08A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B04A40 0_2_00B04A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC7BF0 0_2_00AC7BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9BB40 0_2_00C9BB40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ADDB6F 0_2_00ADDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B06CBF 0_2_00B06CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C90C90 0_2_00C90C90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AECCD0 0_2_00AECCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B08C02 0_2_00B08C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C8ADF7 0_2_00C8ADF7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AEDD29 0_2_00AEDD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AEFD10 0_2_00AEFD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AE8D62 0_2_00AE8D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD6EBF 0_2_00AD6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACBEB0 0_2_00ACBEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD4E2A 0_2_00AD4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B08E70 0_2_00B08E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AEAE57 0_2_00AEAE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C94F86 0_2_00C94F86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C87FAE 0_2_00C87FAE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B07FC0 0_2_00B07FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC8FD0 0_2_00AC8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACAF10 0_2_00ACAF10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00ACCAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00ADD300 appears 152 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9995552289603961
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@10/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF8220 CoCreateInstance, 0_2_00AF8220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: file.exe Static file information: File size 2996224 > 1048576
Source: file.exe Static PE information: Raw size of tgoperjb is bigger than: 0x100000 < 0x2b2200

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.ac0000.0.unpack :EW;.rsrc :W;.idata :W;tgoperjb:EW;kunybgfa:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;tgoperjb:EW;kunybgfa:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2ded73 should be: 0x2de2e6
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: tgoperjb
Source: file.exe Static PE information: section name: kunybgfa
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 2A15691Eh; mov dword ptr [esp], esp 0_2_00C9A119
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 33163F4Dh; mov dword ptr [esp], ebp 0_2_00C9A126
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebp; mov dword ptr [esp], edx 0_2_00C9A1A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push esi; mov dword ptr [esp], ebx 0_2_00C9A218
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 6046E0FBh; mov dword ptr [esp], eax 0_2_00C9A2EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebx; mov dword ptr [esp], edi 0_2_00C9A313
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebx; mov dword ptr [esp], ecx 0_2_00C9A3C2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebx; mov dword ptr [esp], edi 0_2_00C9A456
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 163A9742h; mov dword ptr [esp], edi 0_2_00C9A46B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 4BD30412h; mov dword ptr [esp], ebp 0_2_00C9A488
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push edi; mov dword ptr [esp], ebp 0_2_00C9A4AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 0A0B65BEh; mov dword ptr [esp], edx 0_2_00C9A5BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 3D5EAAA2h; mov dword ptr [esp], ecx 0_2_00C9A61E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push eax; mov dword ptr [esp], edi 0_2_00C9A672
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebp; mov dword ptr [esp], 77F7A9A0h 0_2_00C9A6F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 3B452823h; mov dword ptr [esp], eax 0_2_00C9A804
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebp; mov dword ptr [esp], ecx 0_2_00C9A815
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push eax; mov dword ptr [esp], 72C70DE9h 0_2_00C9A833
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 24C66CD3h; mov dword ptr [esp], edx 0_2_00C9A85F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 6528CA58h; mov dword ptr [esp], eax 0_2_00C9A872
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push edi; mov dword ptr [esp], edx 0_2_00C9A8AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ecx; mov dword ptr [esp], 08F071B0h 0_2_00C9A976
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ecx; mov dword ptr [esp], esi 0_2_00C9AA63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push edi; mov dword ptr [esp], esi 0_2_00C9AB01
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebp; mov dword ptr [esp], 3FF76300h 0_2_00C9AB64
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebx; mov dword ptr [esp], 789CA874h 0_2_00C9ABA1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 68F747C2h; mov dword ptr [esp], edx 0_2_00C9AC7D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push edi; mov dword ptr [esp], ecx 0_2_00C9ACBA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebx; mov dword ptr [esp], ecx 0_2_00C9AD0E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push ebp; mov dword ptr [esp], ebx 0_2_00C9AD57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A0FD push 675C1587h; mov dword ptr [esp], edi 0_2_00C9AE22
Source: file.exe Static PE information: section name: entropy: 7.977275252454008

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B243DB second address: B23C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D58FF7B6Dh 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F6D58FF7B77h 0x00000010 nop 0x00000011 jmp 00007F6D58FF7B75h 0x00000016 push dword ptr [ebp+122D15B1h] 0x0000001c jmp 00007F6D58FF7B6Bh 0x00000021 call dword ptr [ebp+122D1CF9h] 0x00000027 pushad 0x00000028 sub dword ptr [ebp+122D1CB6h], eax 0x0000002e xor eax, eax 0x00000030 jno 00007F6D58FF7B67h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jmp 00007F6D58FF7B76h 0x0000003f add dword ptr [ebp+122D1CB6h], edi 0x00000045 mov dword ptr [ebp+122D2CB0h], eax 0x0000004b mov dword ptr [ebp+122D288Eh], esi 0x00000051 mov esi, 0000003Ch 0x00000056 clc 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b pushad 0x0000005c mov bx, si 0x0000005f mov ecx, ebx 0x00000061 popad 0x00000062 lodsw 0x00000064 mov dword ptr [ebp+122D2B55h], ecx 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e jmp 00007F6D58FF7B76h 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 pushad 0x00000078 jnl 00007F6D58FF7B6Ch 0x0000007e mov dx, 616Bh 0x00000082 popad 0x00000083 nop 0x00000084 pushad 0x00000085 jmp 00007F6D58FF7B6Bh 0x0000008a push eax 0x0000008b jmp 00007F6D58FF7B6Fh 0x00000090 pop eax 0x00000091 popad 0x00000092 push eax 0x00000093 push eax 0x00000094 push edx 0x00000095 jmp 00007F6D58FF7B72h 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5F93 second address: CA5FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6D592C716Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5FA6 second address: CA5FAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4EA3 second address: CA4EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7172h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA51ED second address: CA51F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA51F3 second address: CA520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6D592C7172h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA53A2 second address: CA53BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6D58FF7B70h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8CE5 second address: CA8CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8CEC second address: CA8D27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jc 00007F6D58FF7B68h 0x00000014 push edi 0x00000015 jns 00007F6D58FF7B66h 0x0000001b pop edi 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 jmp 00007F6D58FF7B6Ah 0x00000027 pop edi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8DAA second address: CA8DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8DAE second address: CA8E13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6D58FF7B70h 0x0000000e popad 0x0000000f push eax 0x00000010 jc 00007F6D58FF7B75h 0x00000016 jmp 00007F6D58FF7B6Fh 0x0000001b nop 0x0000001c push ecx 0x0000001d stc 0x0000001e pop edx 0x0000001f mov dword ptr [ebp+122D2924h], ecx 0x00000025 push 00000000h 0x00000027 or dx, 7DCBh 0x0000002c and ecx, 429E64A2h 0x00000032 push 9EF991F7h 0x00000037 push eax 0x00000038 push edx 0x00000039 push edi 0x0000003a jg 00007F6D58FF7B66h 0x00000040 pop edi 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8E13 second address: CA8E5C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6D592C7168h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 61066E89h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F6D592C7168h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push 00000003h 0x0000002d clc 0x0000002e push 00000000h 0x00000030 mov edi, 010B3392h 0x00000035 push 00000003h 0x00000037 sbb cx, 8992h 0x0000003c push CCD0FD21h 0x00000041 pushad 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8E5C second address: CA8EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jnp 00007F6D58FF7B66h 0x0000000e pop esi 0x0000000f popad 0x00000010 xor dword ptr [esp], 0CD0FD21h 0x00000017 jns 00007F6D58FF7B6Ch 0x0000001d sub esi, 42EF8F1Ah 0x00000023 lea ebx, dword ptr [ebp+12458BF9h] 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F6D58FF7B68h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 xor ecx, dword ptr [ebp+122D2E3Ch] 0x00000049 xchg eax, ebx 0x0000004a push edx 0x0000004b jnc 00007F6D58FF7B68h 0x00000051 pop edx 0x00000052 push eax 0x00000053 push ecx 0x00000054 push eax 0x00000055 push edx 0x00000056 jg 00007F6D58FF7B66h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA91D7 second address: CA91DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBAE2C second address: CBAE32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7701 second address: CC7705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7858 second address: CC7867 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F6D58FF7B6Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7B48 second address: CC7B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7B4C second address: CC7B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F6D58FF7B72h 0x0000000e jmp 00007F6D58FF7B6Ah 0x00000013 push esi 0x00000014 pop esi 0x00000015 jne 00007F6D58FF7B68h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6D58FF7B71h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7B83 second address: CC7B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7B87 second address: CC7B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8647 second address: CC864B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC864B second address: CC8688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push ecx 0x0000000a jbe 00007F6D58FF7B72h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6D58FF7B79h 0x00000017 jo 00007F6D58FF7B66h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92FE7 second address: C92FFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F6D592C716Eh 0x0000000c jnc 00007F6D592C7166h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC87D3 second address: CC87DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6D58FF7B66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC87DD second address: CC87EC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6D592C7166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8E76 second address: CC8E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8E7B second address: CC8EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6D592C7166h 0x0000000a jnp 00007F6D592C7166h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 jo 00007F6D592C716Eh 0x00000019 jne 00007F6D592C7166h 0x0000001f pushad 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6D592C716Dh 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9011 second address: CC9046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F6D58FF7B77h 0x0000000c jmp 00007F6D58FF7B6Dh 0x00000011 jg 00007F6D58FF7B6Eh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCC340 second address: CCC347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB1B3 second address: CCB1B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB1B7 second address: CCB1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6D592C7174h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCC9D1 second address: CCCA1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007F6D58FF7B66h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6D58FF7B6Dh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F6D58FF7B74h 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6D58FF7B78h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCA1F second address: CCCA54 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6D592C7175h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6D592C7175h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCBBA second address: CCCBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCBBE second address: CCCBD0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6D592C7166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F6D592C7166h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCBD0 second address: CCCBFC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6D58FF7B76h 0x00000014 ja 00007F6D58FF7B66h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCBFC second address: CCCC16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D592C7176h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88C8E second address: C88C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88C94 second address: C88C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88C98 second address: C88C9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88C9C second address: C88CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88CA2 second address: C88CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F6D58FF7B6Eh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88CBA second address: C88CC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88CC3 second address: C88CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e ja 00007F6D58FF7B66h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD51FF second address: CD520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jno 00007F6D592C7166h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD56AA second address: CD56DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F6D58FF7B66h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c jmp 00007F6D58FF7B78h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jg 00007F6D58FF7B66h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD56DB second address: CD56E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD56E1 second address: CD56E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD56E8 second address: CD56F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD56F1 second address: CD56FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD59E6 second address: CD59F2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6D592C716Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6708 second address: CD671D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD671D second address: CD6722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD696D second address: CD6977 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6977 second address: CD697B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6BC1 second address: CD6BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6BC7 second address: CD6BDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD74CF second address: CD74D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD77B8 second address: CD7809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F6D592C7168h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 jmp 00007F6D592C716Eh 0x00000026 push eax 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F6D592C7173h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7CED second address: CD7CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD967E second address: CD9682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD9F5B second address: CD9F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6D58FF7B66h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD9F66 second address: CD9F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F6D592C7166h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD9F7B second address: CD9F81 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDCE7C second address: CDCEDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C716Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b jbe 00007F6D592C7169h 0x00000011 xor ah, 00000032h 0x00000014 jmp 00007F6D592C716Ah 0x00000019 popad 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d clc 0x0000001e pop esi 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007F6D592C7168h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b movzx edi, cx 0x0000003e push eax 0x0000003f pushad 0x00000040 jnp 00007F6D592C716Ch 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDCEDB second address: CDCEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4F93 second address: CE4FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D592C716Bh 0x00000009 popad 0x0000000a pop edi 0x0000000b nop 0x0000000c add dword ptr [ebp+122D277Fh], edi 0x00000012 push 00000000h 0x00000014 jbe 00007F6D592C7172h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F6D592C7168h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 mov edi, dword ptr [ebp+122D2D1Ch] 0x0000003c mov dword ptr [ebp+122D58C1h], ebx 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 jne 00007F6D592C716Ch 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4FFE second address: CE500C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE00EE second address: CE00F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE11B4 second address: CE11B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE32D8 second address: CE32DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE500C second address: CE5010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE00F5 second address: CE010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6D592C716Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5010 second address: CE501A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE8287 second address: CE828E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE63A1 second address: CE63A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE63A5 second address: CE63A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE63A9 second address: CE63AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE63AF second address: CE63B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE8A95 second address: CE8A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE63B4 second address: CE63D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F6D592C7176h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9985 second address: CE9989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE63D9 second address: CE63DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9989 second address: CE998F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE998F second address: CE9995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE64C0 second address: CE64E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6D58FF7B66h 0x0000000a popad 0x0000000b push edx 0x0000000c jng 00007F6D58FF7B66h 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 jg 00007F6D58FF7B74h 0x0000001b push eax 0x0000001c push edx 0x0000001d jno 00007F6D58FF7B66h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9995 second address: CE9A1D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F6D592C7168h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov dword ptr [ebp+12460A78h], ebx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007F6D592C7168h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 call 00007F6D592C7173h 0x0000004c call 00007F6D592C716Eh 0x00000051 mov edi, 6179BEA7h 0x00000056 pop edi 0x00000057 pop edi 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c push ecx 0x0000005d pop ecx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CED95E second address: CED96F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D58FF7B6Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA984 second address: CEA99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6D592C7174h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9B1F second address: CE9B25 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEDBB9 second address: CEDBCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C716Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9B25 second address: CE9B2F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6D58FF7B6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEDBCC second address: CEDBE3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007F6D592C7166h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 ja 00007F6D592C7166h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9BD9 second address: CE9BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D58FF7B6Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF0A62 second address: CF0A68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEFC00 second address: CEFC04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF0A68 second address: CF0A6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF0A6D second address: CF0A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEFC04 second address: CEFC20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6D592C716Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jnl 00007F6D592C7166h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF3054 second address: CF305E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF9EB4 second address: CF9EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6D592C7166h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF95CC second address: CF95EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D58FF7B76h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF95EB second address: CF95EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF95EF second address: CF95F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF95F3 second address: CF95F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF9912 second address: CF9916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF9916 second address: CF9952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6D592C7173h 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007F6D592C7176h 0x00000015 jc 00007F6D592C7166h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF9A97 second address: CF9AA5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE672 second address: CFE676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE676 second address: CFE67C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D04511 second address: D04516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8A88B second address: C8A891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0315A second address: D03180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jng 00007F6D592C7181h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03180 second address: D03188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D038D7 second address: D038DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D038DC second address: D038E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D038E7 second address: D038ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D038ED second address: D038F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03A38 second address: D03A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6D592C7166h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03BB0 second address: D03BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03D1B second address: D03D25 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6D592C7166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03D25 second address: D03D31 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6D58FF7B6Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03E9C second address: D03EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F6D592C716Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03EB3 second address: D03EC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F6D58FF7B66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03EC3 second address: D03EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D04081 second address: D04087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D04087 second address: D0408D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0408D second address: D040A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D58FF7B71h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0421B second address: D0421F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D04377 second address: D0437B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0437B second address: D04381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D04381 second address: D0438B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99BC5 second address: C99BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99BC9 second address: C99C09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jp 00007F6D58FF7B98h 0x00000010 push ecx 0x00000011 jmp 00007F6D58FF7B6Ch 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6D58FF7B6Bh 0x0000001e jmp 00007F6D58FF7B6Dh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99C09 second address: C99C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0AAE4 second address: D0AB02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6D58FF7B72h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0AB02 second address: D0AB22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6D592C7175h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0AB22 second address: D0AB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0CE51 second address: D0CE55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0CE55 second address: D0CE84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6D58FF7B6Eh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jnp 00007F6D58FF7B66h 0x00000014 jmp 00007F6D58FF7B72h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0CE84 second address: D0CE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0CE88 second address: D0CE8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0CE8C second address: D0CE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0CE92 second address: D0CE97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12861 second address: D12865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D115DB second address: D1160F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D58FF7B70h 0x00000009 jmp 00007F6D58FF7B6Dh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6D58FF7B6Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1160F second address: D11613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11613 second address: D1161D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D125AD second address: D125CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D125CD second address: D125EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D58FF7B6Ah 0x00000009 pop esi 0x0000000a pushad 0x0000000b jne 00007F6D58FF7B66h 0x00000011 jp 00007F6D58FF7B66h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17DDD second address: D17DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17DE1 second address: D17DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17DE5 second address: D17DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6D592C716Fh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17DFF second address: D17E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F6D58FF7B76h 0x0000000d ja 00007F6D58FF7B66h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17E25 second address: D17E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F6D592C7166h 0x0000000c jo 00007F6D592C7166h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17E39 second address: D17E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D180CC second address: D180D8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6D592C7166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D180D8 second address: D180E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D180E0 second address: D180E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D180E4 second address: D18107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6D58FF7B6Dh 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18107 second address: D18113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F6D592C7166h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D183F7 second address: D1841F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F6D58FF7B66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6D58FF7B79h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18561 second address: D18567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18D7B second address: D18D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18D81 second address: D18D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18D86 second address: D18D93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F6D58FF7B66h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18D93 second address: D18D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18D99 second address: D18DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D191D0 second address: D191D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1CEFF second address: D1CF1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D58FF7B73h 0x00000009 jnc 00007F6D58FF7B66h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1CF1C second address: D1CF3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7176h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1CF3B second address: D1CF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F6D58FF7B6Bh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1CF55 second address: D1CF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6D592C716Eh 0x0000000b popad 0x0000000c pushad 0x0000000d jnc 00007F6D592C7166h 0x00000013 jmp 00007F6D592C7174h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1CF87 second address: D1CF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE54D second address: CDE563 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C716Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE563 second address: CDE5FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 25C27A4Bh 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F6D58FF7B68h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov dword ptr [ebp+124835D6h], edx 0x0000002e call 00007F6D58FF7B69h 0x00000033 pushad 0x00000034 pushad 0x00000035 jp 00007F6D58FF7B66h 0x0000003b pushad 0x0000003c popad 0x0000003d popad 0x0000003e jmp 00007F6D58FF7B70h 0x00000043 popad 0x00000044 push eax 0x00000045 push ecx 0x00000046 jnp 00007F6D58FF7B75h 0x0000004c pop ecx 0x0000004d mov eax, dword ptr [esp+04h] 0x00000051 push ecx 0x00000052 jp 00007F6D58FF7B68h 0x00000058 pushad 0x00000059 popad 0x0000005a pop ecx 0x0000005b mov eax, dword ptr [eax] 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F6D58FF7B73h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE5FD second address: CDE603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE603 second address: CDE608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE77B second address: CDE77F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE85D second address: CDE896 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jg 00007F6D58FF7B6Ah 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F6D58FF7B77h 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f push esi 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 pop esi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE896 second address: CDE8A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE8A7 second address: CDE8B5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEE30 second address: CDEE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEFA9 second address: CDEFAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEFAD second address: CDEFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEFBA second address: CDEFBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEFBE second address: CDEFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF226 second address: CDF23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jg 00007F6D58FF7B66h 0x00000011 js 00007F6D58FF7B66h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF23E second address: CDF270 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F6D592C7166h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 ja 00007F6D592C7174h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6D592C716Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF358 second address: CDF3C2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6D58FF7B6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6D58FF7B6Bh 0x00000011 pop edx 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F6D58FF7B68h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d pushad 0x0000002e jmp 00007F6D58FF7B6Eh 0x00000033 xor dword ptr [ebp+122D2557h], eax 0x00000039 popad 0x0000003a lea eax, dword ptr [ebp+1248DC44h] 0x00000040 mov dword ptr [ebp+1247F6A1h], ecx 0x00000046 nop 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a pushad 0x0000004b popad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF3C2 second address: CDF3C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF3C7 second address: CDF3E0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6D58FF7B68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnc 00007F6D58FF7B66h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF3E0 second address: CDF3E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF3E5 second address: CBEF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a xor dh, FFFFFF82h 0x0000000d call dword ptr [ebp+122D289Dh] 0x00000013 jo 00007F6D58FF7B7Fh 0x00000019 pushad 0x0000001a jnc 00007F6D58FF7B66h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D1BE second address: D1D1CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jo 00007F6D592C7166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D1CA second address: D1D1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F6D58FF7B66h 0x0000000a jp 00007F6D58FF7B66h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D328 second address: D1D332 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6D592C7166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D8DB second address: D1D8E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D8E0 second address: D1D90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F6D592C716Fh 0x0000000b jmp 00007F6D592C7170h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D90C second address: D1D910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1DA74 second address: D1DA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1DA85 second address: D1DA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1DA89 second address: D1DAA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7174h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20677 second address: D2067B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D201C8 second address: D20220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C716Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6D592C7170h 0x0000000e jmp 00007F6D592C7177h 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6D592C7175h 0x0000001c jnl 00007F6D592C7166h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20220 second address: D20224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2036F second address: D2038A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F6D592C7170h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2038A second address: D2038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2038E second address: D20394 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D237E8 second address: D23810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F6D58FF7B66h 0x0000000d jmp 00007F6D58FF7B78h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D23810 second address: D2381B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F6D592C7166h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2381B second address: D23838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F6D58FF7B73h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D23838 second address: D2385C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F6D592C7177h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2385C second address: D23862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C913C3 second address: C913D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6D592C716Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D23142 second address: D23147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28A6F second address: D28A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28A74 second address: D28A8A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push edx 0x0000000f jg 00007F6D58FF7B66h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8DD8D second address: C8DD9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F6D592C7166h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8DD9B second address: C8DDAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D58FF7B6Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D27CBC second address: D27CCE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6D592C716Ch 0x00000008 jns 00007F6D592C7166h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D27CCE second address: D27CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D27E21 second address: D27E32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F6D592C7166h 0x0000000b pop edi 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D27FDE second address: D27FF1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6D58FF7B6Eh 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28139 second address: D2813D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2813D second address: D28145 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28145 second address: D2814A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2814A second address: D28155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28155 second address: D28159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28159 second address: D2815F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D282A3 second address: D282C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6D592C7166h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push edx 0x00000010 jmp 00007F6D592C7175h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2844F second address: D2848E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jnc 00007F6D58FF7B92h 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2848E second address: D2849D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D592C716Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2849D second address: D284CA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007F6D58FF7B68h 0x00000010 pushad 0x00000011 jmp 00007F6D58FF7B78h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2EA4B second address: D2EA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D29C second address: D2D2A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D2A1 second address: D2D2C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D879 second address: D2D894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D58FF7B77h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D894 second address: D2D89E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6D592C7166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEC61 second address: CDEC6B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEC6B second address: CDEC84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F6D592C7166h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jl 00007F6D592C7174h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEC84 second address: CDECFA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F6D58FF7B68h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 or di, 527Fh 0x0000002a pushad 0x0000002b or edx, dword ptr [ebp+122D2BF0h] 0x00000031 popad 0x00000032 mov ebx, dword ptr [ebp+1248DC83h] 0x00000038 clc 0x00000039 add eax, ebx 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007F6D58FF7B68h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 00000017h 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 movsx ecx, bx 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F6D58FF7B6Dh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2DCDB second address: D2DCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6D592C7166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2DCE5 second address: D2DCFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B72h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2DCFB second address: D2DD04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2DD04 second address: D2DD0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D32189 second address: D3219B instructions: 0x00000000 rdtsc 0x00000002 je 00007F6D592C7166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3219B second address: D3219F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D32317 second address: D32366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C716Dh 0x00000007 jmp 00007F6D592C7178h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jne 00007F6D592C7166h 0x00000015 jmp 00007F6D592C7177h 0x0000001a jc 00007F6D592C7166h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D32366 second address: D32374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F6D58FF7B66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D32374 second address: D3238E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6D592C716Ch 0x0000000b je 00007F6D592C716Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D327D5 second address: D327D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D327D9 second address: D327DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38553 second address: D38559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38559 second address: D3855F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3855F second address: D38580 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6D58FF7B70h 0x00000008 jnp 00007F6D58FF7B66h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D386BD second address: D386C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38AE3 second address: D38AE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38AE8 second address: D38B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007F6D592C716Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6D592C7173h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38B14 second address: D38B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38B1F second address: D38B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38B26 second address: D38B5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6D58FF7B75h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F6D58FF7B75h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38EE2 second address: D38EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38EE6 second address: D38EEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38EEC second address: D38EF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38EF1 second address: D38F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F6D58FF7B79h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38F1A second address: D38F37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D397DA second address: D397F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B77h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39A9B second address: D39AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A311 second address: D3A315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A315 second address: D3A31F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A31F second address: D3A323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D400A9 second address: D400AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D400AD second address: D400DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jp 00007F6D58FF7B66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F6D58FF7B77h 0x00000014 pop edi 0x00000015 pop edx 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007F6D58FF7B66h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D434AE second address: D434C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D592C7173h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D434C5 second address: D434CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4365B second address: D4365F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4365F second address: D43665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D43925 second address: D43929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D43929 second address: D43931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D43931 second address: D43936 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D43C00 second address: D43C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F6D58FF7B71h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F6D58FF7B74h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 jmp 00007F6D58FF7B71h 0x00000025 jmp 00007F6D58FF7B6Ch 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D43C59 second address: D43C72 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007F6D592C7166h 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F6D592C716Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D43E08 second address: D43E27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6D58FF7B78h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D43F87 second address: D43F91 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6D592C7166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D43F91 second address: D43F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D440F5 second address: D44100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44100 second address: D44104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44104 second address: D44108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D0CD second address: D4D0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D0D3 second address: D4D0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D0DB second address: D4D0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D0E6 second address: D4D0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6D592C7166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D0F0 second address: D4D0F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4B909 second address: D4B90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4B90D second address: D4B929 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F6D58FF7B6Ch 0x0000000c pop edi 0x0000000d push edi 0x0000000e jc 00007F6D58FF7B72h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4B929 second address: D4B945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6D592C7166h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6D592C716Eh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4B945 second address: D4B94B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4BBA4 second address: D4BBAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4BD22 second address: D4BD26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4BEBD second address: D4BEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6D592C7166h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4BEC8 second address: D4BEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D58FF7B6Ch 0x00000009 jmp 00007F6D58FF7B70h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4BEE8 second address: D4BEF3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4C833 second address: D4C839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D53F21 second address: D53F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D53F27 second address: D53F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D58FF7B78h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D53ABD second address: D53ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D592C7176h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D53ADE second address: D53AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5559B second address: D555A5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6D592C7166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D578F0 second address: D57904 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F6D58FF7B6Ch 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D57904 second address: D5790A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5790A second address: D5790E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5790E second address: D5792B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F6D592C716Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5792B second address: D57934 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D63D22 second address: D63D36 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6D592C716Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D63D36 second address: D63D4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D68C78 second address: D68C93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7177h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D68998 second address: D689B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F6D58FF7B76h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D791F1 second address: D791F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8212A second address: D82141 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6D58FF7B6Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F6D58FF7B66h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82141 second address: D82147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82147 second address: D8214B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82537 second address: D8253D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8253D second address: D82542 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85652 second address: D85668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6D592C7170h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85668 second address: D8566D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8832E second address: D88332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D88332 second address: D8835F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6D58FF7B74h 0x00000010 jc 00007F6D58FF7B66h 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8835F second address: D88365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D97FA3 second address: D97FA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D97FA9 second address: D97FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6D592C7166h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D97FB5 second address: D97FD1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6D58FF7B6Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D97FD1 second address: D97FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D592C716Fh 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D97E51 second address: D97E55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D93D61 second address: D93D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D93D6D second address: D93D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9651B second address: C9652B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6D592C7166h 0x0000000a jne 00007F6D592C7166h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC5EA second address: DBC5EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC5EE second address: DBC611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F6D592C7175h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC611 second address: DBC615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC615 second address: DBC61F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6D592C7166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC03A7 second address: DC03B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC03B2 second address: DC03B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC03B8 second address: DC03D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnl 00007F6D58FF7B7Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC03D7 second address: DC03FF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F6D592C7174h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F6D592C7166h 0x00000013 jno 00007F6D592C7166h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC06C1 second address: DC06D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F6D58FF7B6Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0853 second address: DC0857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0857 second address: DC086B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D58FF7B6Ah 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC086B second address: DC086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC086F second address: DC0873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0873 second address: DC087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC087D second address: DC0887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6D58FF7B66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0B4A second address: DC0B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0B50 second address: DC0B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0F81 second address: DC0FA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7176h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0FA3 second address: DC0FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0FAC second address: DC0FC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D592C7172h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC571D second address: DC573A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1EC7h], eax 0x0000000e push 00000004h 0x00000010 mov dh, EEh 0x00000012 push 49E77EB3h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC573A second address: DC573E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC573E second address: DC5748 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6D58FF7B66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC5A96 second address: DC5A9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC706B second address: DC7071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7071 second address: DC707F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6D592C7166h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290D89 second address: 5290D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B23CEC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CCADE1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D5CA54 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5088 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2209840369.0000000000CAD000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2210825197.000000000129E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW V0
Source: file.exe, 00000000.00000002.2211125821.00000000012F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2192560687.00000000012F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2211246324.0000000001318000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2209840369.0000000000CAD000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B05BB0 LdrInitializeThunk, 0_2_00B05BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: bathdoomgaz.store
Source: file.exe String found in binary or memory: spirittunek.store
Source: file.exe String found in binary or memory: dissapoiznw.store
Source: file.exe String found in binary or memory: studennotediw.store
Source: file.exe String found in binary or memory: mobbipenju.store
Source: file.exe String found in binary or memory: eaglepawnoy.store
Source: file.exe, file.exe, 00000000.00000002.2209973259.0000000000CF1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1:5Program Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541692 Sample: file.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 10 studennotediw.store 2->10 12 steamcommunity.com 2->12 14 8 other IPs or domains 2->14 18 Multi AV Scanner detection for domain / URL 2->18 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 9 other signatures 2->24 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 steamcommunity.com 104.102.49.254, 443, 49711 AKAMAI-ASUS United States 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->28 30 Tries to evade debugger and weak emulator (self modifying code) 6->30 32 4 other signatures 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
sergei-esenin.com unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
studennotediw.store true
    		unknown
    dissapoiznw.store true
      		unknown
      https://steamcommunity.com/profiles/76561199724331900 true
        		unknown
        eaglepawnoy.store true
          		unknown
          bathdoomgaz.store true
            		unknown
            clearancek.site true
              		unknown
              spirittunek.store true
                		unknown
                licendfilteo.site true
                  		unknown