Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1526551
MD5: bdcde8ea7e2b2dc63cce44e50f0a6257
SHA1: e658b3da104ced11c8ec14f24d6669dca4a54987
SHA256: 657b7ee6f83be4b24fddd47c8b4194c87311064baf20b09b1fd3812b98aa74ec
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: file.exe.7152.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["studennotediw.stor", "dissapoiznw.stor", "clearancek.site", "eaglepawnoy.stor", "mobbipenju.stor", "bathdoomgaz.stor", "spirittunek.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for domain / URL
Source: https://feelystroll.buzz/ Virustotal: Detection: 11% Perma Link
Source: https://feelystroll.buzz/api Virustotal: Detection: 12% Perma Link
Source: https://steamcommunity.com/profiles/76561199724331900/ Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.stor
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.stor
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.stor
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2189602977.0000000000301000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0030D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0030D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_003463B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_0034695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_003499D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_0030FCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00310EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_0033F030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00316F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_00301000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00344040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00346094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_0032D1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00322260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_00322260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_003142FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_0030A300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_003323E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_003323E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_003323E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_003323E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_003323E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_003323E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_0031B410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0032E40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_0032C470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0031D457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_00341440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_003464B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00316536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_00347520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00329510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 0_2_00308590
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0032E66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_0033B650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_00347710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00345700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0032D7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_003467EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_003228E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_00343920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_0031D961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_003049A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00311A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00305A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00344A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00311ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00349B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_0031DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_0031DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00330B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00313BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00311BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_0033FC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00327C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_0032EC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_0032AC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_0032AC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00349CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_00349CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_0032CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0032CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_0032CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0032DD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_0032FD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00348D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_00314E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00325E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00327E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_0032AE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_0030BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_00316EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_00306EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00311E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0033FF70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00329F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00316F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00308FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00345FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_0031FFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_00347FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00347FC0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:60878 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:55025 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:62666 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:58403 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:55377 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:56376 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:56376 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:59134 -> 1.1.1.1:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: studennotediw.stor
Source: Malware configuration extractor URLs: dissapoiznw.stor
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: eaglepawnoy.stor
Source: Malware configuration extractor URLs: mobbipenju.stor
Source: Malware configuration extractor URLs: bathdoomgaz.stor
Source: Malware configuration extractor URLs: spirittunek.stor
Source: Malware configuration extractor URLs: licendfilteo.site
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: feelystroll.buzz
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190695378.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190695378.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190695378.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2190498715.000000000132E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189376539.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steam0Nl
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.2190378454.0000000001325000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190695378.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feelystroll.buzz/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feelystroll.buzz/1
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feelystroll.buzz/api
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feelystroll.buzz/api#
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feelystroll.buzz/i
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feelystroll.buzz/y
Source: file.exe, 00000000.00000002.2190498715.000000000132E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189376539.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feelystroll.buzz:443/apiofiles/76561199724331900
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000002.2190498715.000000000132E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189376539.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store:443/api
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.2190498715.000000000132E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189376539.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/ki/c
Source: file.exe, 00000000.00000002.2190695378.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2189376539.0000000001340000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2189376539.0000000001340000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/
Source: file.exe, 00000000.00000003.2189342494.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001329000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000002.2190378454.0000000001325000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steVp
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2189376539.0000000001328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190695378.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190652504.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189342494.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2189322825.00000000013B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2189376539.0000000001372000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190498715.0000000001372000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00310228 0_2_00310228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00312030 0_2_00312030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00301000 0_2_00301000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00344040 0_2_00344040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0034A0D0 0_2_0034A0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 0_2_004D2171
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00305160 0_2_00305160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004CF130 0_2_004CF130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0030E1A0 0_2_0030E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00351184 0_2_00351184
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003071F0 0_2_003071F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0054E18D 0_2_0054E18D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D7268 0_2_004D7268
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003012F7 0_2_003012F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003382D0 0_2_003382D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003312D0 0_2_003312D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0030A300 0_2_0030A300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0030B3A0 0_2_0030B3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003013A3 0_2_003013A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003323E0 0_2_003323E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0032C470 0_2_0032C470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0031049B 0_2_0031049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00314487 0_2_00314487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003364F0 0_2_003364F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003035B0 0_2_003035B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00308590 0_2_00308590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0031C5F0 0_2_0031C5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0033F620 0_2_0033F620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00348652 0_2_00348652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004C1639 0_2_004C1639
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0030164F 0_2_0030164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D06C3 0_2_004D06C3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D56F8 0_2_004D56F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003486F0 0_2_003486F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004CB6A9 0_2_004CB6A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0035072B 0_2_0035072B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004C6728 0_2_004C6728
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004C87F9 0_2_004C87F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043C85B 0_2_0043C85B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00331860 0_2_00331860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0030A850 0_2_0030A850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0033E8A0 0_2_0033E8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0033B8C0 0_2_0033B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004BF9CC 0_2_004BF9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003489A0 0_2_003489A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0032098B 0_2_0032098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0037FA35 0_2_0037FA35
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00344A40 0_2_00344A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00347AB0 0_2_00347AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00348A80 0_2_00348A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0031DB6F 0_2_0031DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00307BF0 0_2_00307BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D3C7B 0_2_004D3C7B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00348C02 0_2_00348C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004C4CC5 0_2_004C4CC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00346CBF 0_2_00346CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0032CCD0 0_2_0032CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00460D54 0_2_00460D54
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0032DD29 0_2_0032DD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0032FD10 0_2_0032FD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00328D62 0_2_00328D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00314E2A 0_2_00314E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00348E70 0_2_00348E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0032AE57 0_2_0032AE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0030BEB0 0_2_0030BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00316EBF 0_2_00316EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0030AF10 0_2_0030AF10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00351F6B 0_2_00351F6B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00308FD0 0_2_00308FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00347FC0 0_2_00347FC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0030CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0031D300 appears 152 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9995616749174917
Source: file.exe Static PE information: Section: uimcmjhm ZLIB complexity 0.9943082526540071
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@10/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00338220 CoCreateInstance, 0_2_00338220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 28%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: file.exe Static file information: File size 1882112 > 1048576
Source: file.exe Static PE information: Raw size of uimcmjhm is bigger than: 0x100000 < 0x1a2000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.300000.0.unpack :EW;.rsrc :W;.idata :W; :EW;uimcmjhm:EW;givvxded:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;uimcmjhm:EW;givvxded:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1d871b should be: 0x1cde92
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: uimcmjhm
Source: file.exe Static PE information: section name: givvxded
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AE0D5 push 599F36ADh; mov dword ptr [esp], edi 0_2_005AE0FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004DC0F5 push 1635FF38h; mov dword ptr [esp], ecx 0_2_004DC154
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00576082 push 70726281h; mov dword ptr [esp], ebp 0_2_005760AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00576082 push 7928D4C6h; mov dword ptr [esp], edx 0_2_005760E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00576082 push edi; mov dword ptr [esp], esi 0_2_00576109
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00576082 push edi; mov dword ptr [esp], esi 0_2_0057617D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EC096 push edx; mov dword ptr [esp], edi 0_2_004EC0AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E1158 push eax; mov dword ptr [esp], 3FB7A9E4h 0_2_004E111D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C216E push ebx; mov dword ptr [esp], esp 0_2_005C2180
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ebx; mov dword ptr [esp], 00000470h 0_2_004D2220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ecx; mov dword ptr [esp], 51D04900h 0_2_004D224F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ebx; mov dword ptr [esp], 5F6ABC44h 0_2_004D22AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push 1238DBA6h; mov dword ptr [esp], edi 0_2_004D2394
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ebp; mov dword ptr [esp], 5F017C4Dh 0_2_004D23F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ebp; mov dword ptr [esp], ecx 0_2_004D2493
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push 7AA99872h; mov dword ptr [esp], edx 0_2_004D2548
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push 03FFAB61h; mov dword ptr [esp], ecx 0_2_004D25DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push esi; mov dword ptr [esp], 7E7F94F1h 0_2_004D25E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push edx; mov dword ptr [esp], ebp 0_2_004D25EE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ecx; mov dword ptr [esp], esi 0_2_004D26A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push 7606A6FBh; mov dword ptr [esp], ecx 0_2_004D271B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push edx; mov dword ptr [esp], ebp 0_2_004D2732
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push 7F38432Fh; mov dword ptr [esp], ecx 0_2_004D2796
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ebx; mov dword ptr [esp], ecx 0_2_004D27BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push esi; mov dword ptr [esp], edx 0_2_004D2889
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push eax; mov dword ptr [esp], ecx 0_2_004D28B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ebx; mov dword ptr [esp], ecx 0_2_004D28CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push edi; mov dword ptr [esp], eax 0_2_004D2949
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push ebp; mov dword ptr [esp], ecx 0_2_004D296B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push esi; mov dword ptr [esp], edx 0_2_004D2A4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2171 push 7CEFBF5Eh; mov dword ptr [esp], ecx 0_2_004D2AA2
Source: file.exe Static PE information: section name: entropy: 7.978448333707626
Source: file.exe Static PE information: section name: uimcmjhm entropy: 7.9533842941242785

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 363B90 second address: 363B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 363B94 second address: 363BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093C1A78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FBE093C1A66h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 363BBC second address: 363BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 363BC0 second address: 363BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 363BC6 second address: 363BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DCEA4 second address: 4DCEB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FBE093C1A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FBE093C1A66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB227 second address: 4CB22D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB22D second address: 4CB233 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC019 second address: 4DC02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE08E1478Ah 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC02B second address: 4DC04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jg 00007FBE093C1A80h 0x0000000d jmp 00007FBE093C1A74h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC460 second address: 4DC468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC5A3 second address: 4DC5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE093C1A75h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE069 second address: 4DE075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE075 second address: 4DE0AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jp 00007FBE093C1A6Ch 0x0000000d or ecx, dword ptr [ebp+122D3928h] 0x00000013 push 00000000h 0x00000015 jmp 00007FBE093C1A6Eh 0x0000001a call 00007FBE093C1A69h 0x0000001f pushad 0x00000020 jnl 00007FBE093C1A68h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE275 second address: 4DE279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE279 second address: 4DE2ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 060CABBEh 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FBE093C1A68h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dh, cl 0x0000002a push 00000003h 0x0000002c mov dword ptr [ebp+122D1B51h], eax 0x00000032 push 00000000h 0x00000034 call 00007FBE093C1A73h 0x00000039 jmp 00007FBE093C1A71h 0x0000003e pop esi 0x0000003f push 00000003h 0x00000041 and ecx, 2B52D031h 0x00000047 push 980A0FB5h 0x0000004c push eax 0x0000004d push edx 0x0000004e push ecx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE2ED second address: 4DE2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE2F2 second address: 4DE2FC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBE093C1A6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE3AA second address: 4DE3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE3AF second address: 4DE3FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBE093C1A78h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jno 00007FBE093C1A66h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 push edi 0x0000001a jbe 00007FBE093C1A66h 0x00000020 pop edi 0x00000021 popad 0x00000022 nop 0x00000023 mov edi, ebx 0x00000025 push 00000000h 0x00000027 mov dword ptr [ebp+122D1B28h], edx 0x0000002d push 2238EBB6h 0x00000032 push eax 0x00000033 push edx 0x00000034 push esi 0x00000035 push edi 0x00000036 pop edi 0x00000037 pop esi 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FEE0F second address: 4FEE13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE771 second address: 4CE777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE777 second address: 4CE7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 je 00007FBE08E14786h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FBE08E14791h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jbe 00007FBE08E14786h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE7A2 second address: 4CE7F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093C1A6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBE093C1A6Eh 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FBE093C1A6Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBE093C1A6Eh 0x0000001c jmp 00007FBE093C1A75h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE7F4 second address: 4CE7F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE7F8 second address: 4CE7FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE7FE second address: 4CE825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FBE08E147A5h 0x0000000c jmp 00007FBE08E14799h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FCDAC second address: 4FCDB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007FBE093C1A66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FCEC5 second address: 4FCEC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FCEC9 second address: 4FCECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FCFF1 second address: 4FD007 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jne 00007FBE08E14786h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FD007 second address: 4FD00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FD522 second address: 4FD52C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FBE08E14786h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FD7E0 second address: 4FD7E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FD7E4 second address: 4FD7EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FD913 second address: 4FD927 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 je 00007FBE093C1A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FBE093C1A6Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FDBC9 second address: 4FDBCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FDBCF second address: 4FDBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FDD98 second address: 4FDDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FBE08E1478Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FE525 second address: 4FE52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBE093C1A66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FE52F second address: 4FE539 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBE093BFB96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FE6A1 second address: 4FE6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FE6A7 second address: 4FE6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FE6B2 second address: 4FE6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FE6B6 second address: 4FE6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FE6BC second address: 4FE6D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE093B9283h 0x00000009 jp 00007FBE093B9276h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FE6D9 second address: 4FE6E3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBE093BFB96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500DEF second address: 500DF5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500DF5 second address: 500E00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FBE093BFB96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500E00 second address: 500E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE093B9285h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FBE093B9276h 0x00000012 jmp 00007FBE093B927Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50410E second address: 504112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50531F second address: 505323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505323 second address: 50533F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBE093BFBA3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50533F second address: 505345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D6D8C second address: 4D6D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508C40 second address: 508C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007FBE093B9276h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50966F second address: 509683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FBE093BFB9Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 509683 second address: 50968F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007FBE093B9276h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50968F second address: 5096AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BFBA8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5096AB second address: 5096B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B56F second address: 50B589 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BFBA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B589 second address: 50B5AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FBE093B9276h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 6A5F8388h 0x00000013 mov esi, dword ptr [ebp+122D2AD7h] 0x00000019 push 22EFE716h 0x0000001e push ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50BBCF second address: 50BBE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BFBA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50BCEA second address: 50BCFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FBE093B9276h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50BCFC second address: 50BD02 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50BD02 second address: 50BD1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBE093B9286h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C176 second address: 50C191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE093BFBA7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C191 second address: 50C20F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093B9284h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jl 00007FBE093B9283h 0x00000013 jmp 00007FBE093B927Dh 0x00000018 jmp 00007FBE093B927Fh 0x0000001d popad 0x0000001e xchg eax, ebx 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007FBE093B9278h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 or esi, dword ptr [ebp+122D57CBh] 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push esi 0x00000043 jmp 00007FBE093B9287h 0x00000048 pop esi 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C20F second address: 50C215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C215 second address: 50C219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C2A6 second address: 50C2AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C66A second address: 50C66E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E227 second address: 50E22B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E22B second address: 50E240 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBE093B927Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EC26 second address: 50EC8F instructions: 0x00000000 rdtsc 0x00000002 je 00007FBE093BFBAFh 0x00000008 jmp 00007FBE093BFBA9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FBE093BFB98h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c xor dword ptr [ebp+122D363Fh], edi 0x00000032 push 00000000h 0x00000034 sub edi, 482AE0FDh 0x0000003a push 00000000h 0x0000003c mov edi, dword ptr [ebp+122D38B5h] 0x00000042 xchg eax, ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jp 00007FBE093BFB96h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EAA9 second address: 50EAAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EC8F second address: 50EC93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EAAD second address: 50EAB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EC93 second address: 50EC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EAB3 second address: 50EAC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE093B927Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EC99 second address: 50EC9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EAC4 second address: 50EAC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50EC9F second address: 50ECA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F4EB second address: 50F4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F4F0 second address: 50F4F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 510F70 second address: 510F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007FBE093B9278h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511199 second address: 5111A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBE093BFB96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 510F84 second address: 510F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5111A3 second address: 5111F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BFBA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c ja 00007FBE093BFBADh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 mov edi, dword ptr [ebp+122D29E8h] 0x0000001b push 00000000h 0x0000001d mov si, D6F7h 0x00000021 stc 0x00000022 push eax 0x00000023 push eax 0x00000024 jng 00007FBE093BFB9Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511CA5 second address: 511CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511CAB second address: 511CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511A33 second address: 511A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBE093B9276h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511A3E second address: 511A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BFBA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511A61 second address: 511A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511D9D second address: 511DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jnp 00007FBE093BFBA8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FBE093BFB96h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511A65 second address: 511A6F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBE093B9276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511DB2 second address: 511DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511A6F second address: 511A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBE093B9276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5128B2 second address: 5128BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FBE093BFB96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5128BC second address: 512939 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jbe 00007FBE093B9276h 0x00000011 jnc 00007FBE093B9276h 0x00000017 popad 0x00000018 pop ebx 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FBE093B9278h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 movsx esi, ax 0x00000037 mov dword ptr [ebp+122D2A20h], edx 0x0000003d mov esi, dword ptr [ebp+122D1BF0h] 0x00000043 push 00000000h 0x00000045 mov edi, dword ptr [ebp+122D2CEBh] 0x0000004b push 00000000h 0x0000004d push edx 0x0000004e mov dword ptr [ebp+122D3518h], edx 0x00000054 pop edi 0x00000055 xchg eax, ebx 0x00000056 js 00007FBE093B9288h 0x0000005c push ebx 0x0000005d jmp 00007FBE093B9280h 0x00000062 pop ebx 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 jng 00007FBE093B9276h 0x0000006d push eax 0x0000006e pop eax 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 513430 second address: 513434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51320B second address: 51321A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE093B927Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 516D43 second address: 516D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 516D47 second address: 516D4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 516D4D second address: 516D74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BFB9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007FBE093BFBABh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBE093BFB9Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51A60C second address: 51A630 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093B9285h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jnp 00007FBE093B9276h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C6B0 second address: 51C6B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C6B4 second address: 51C6CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FBE093B927Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51DCC8 second address: 51DD0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BFBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add dword ptr [ebp+122D365Ch], ecx 0x00000012 mov di, si 0x00000015 push 00000000h 0x00000017 or bl, 00000079h 0x0000001a push 00000000h 0x0000001c pushad 0x0000001d mov dword ptr [ebp+122D1B63h], edx 0x00000023 stc 0x00000024 popad 0x00000025 push eax 0x00000026 jnp 00007FBE093BFBA0h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51CE4D second address: 51CE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51CF2E second address: 51CF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51EDE9 second address: 51EDEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51DE17 second address: 51DE1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51EDEF second address: 51EE6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FBE093B9278h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jg 00007FBE093B927Ch 0x00000029 and bx, 3C7Fh 0x0000002e push 00000000h 0x00000030 mov di, bx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FBE093B9278h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov di, 6817h 0x00000053 xchg eax, esi 0x00000054 jmp 00007FBE093B927Fh 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f pop eax 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51DE1D second address: 51DE2F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007FBE093BFBB1h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51EE6E second address: 51EE74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 520E2F second address: 520E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F093 second address: 51F099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F099 second address: 51F09D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5214D9 second address: 5214DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52176E second address: 521772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 521772 second address: 52179B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBE093B9276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FBE093B9286h 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5233DD second address: 52341B instructions: 0x00000000 rdtsc 0x00000002 je 00007FBE093BFB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FBE093BFBA0h 0x00000010 nop 0x00000011 ja 00007FBE093BFB99h 0x00000017 push 00000000h 0x00000019 or dword ptr [ebp+122D1BF0h], edx 0x0000001f push 00000000h 0x00000021 adc bx, 48D2h 0x00000026 xchg eax, esi 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jg 00007FBE093BFB96h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52341B second address: 52343F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBE093BE2B6h 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 525714 second address: 52579F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007FBE0900455Fh 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FBE09004558h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 or bx, 40DAh 0x0000002b mov dword ptr [ebp+122D3453h], edx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007FBE09004558h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d push 00000000h 0x0000004f mov edi, 2BCB2422h 0x00000054 push eax 0x00000055 pushad 0x00000056 jp 00007FBE09004567h 0x0000005c jmp 00007FBE09004561h 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52466D second address: 524673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524673 second address: 524682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBE0900455Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523518 second address: 523547 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FBE093BE2B8h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBE093BE2AAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 526683 second address: 526687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523547 second address: 5235DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FBE093BE2A8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007FBE093BE2A8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 0000001Dh 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 or dword ptr [ebp+122D29BEh], edi 0x0000004c mov dword ptr fs:[00000000h], esp 0x00000053 mov dword ptr [ebp+12456B07h], ecx 0x00000059 mov eax, dword ptr [ebp+122D155Dh] 0x0000005f mov dword ptr [ebp+122D29B4h], ebx 0x00000065 push FFFFFFFFh 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a jnl 00007FBE093BE2ACh 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52671B second address: 52672A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FBE09004556h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C62A2 second address: 4C62A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 526913 second address: 526942 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBE0900456Fh 0x00000008 jmp 00007FBE09004569h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jne 00007FBE09004556h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C62A7 second address: 4C62AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 526942 second address: 526947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 526947 second address: 52694D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52694D second address: 526951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 528B31 second address: 528B8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007FBE093BE2ADh 0x0000000f movzx edi, di 0x00000012 pop ebx 0x00000013 push 00000000h 0x00000015 mov edi, dword ptr [ebp+122D34E5h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007FBE093BE2A8h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 528B8C second address: 528B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 528B90 second address: 528B96 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529B6B second address: 529C03 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBE09004565h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, 01E10859h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FBE09004558h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d sub dword ptr [ebp+1247CD72h], ecx 0x00000033 jmp 00007FBE0900455Dh 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007FBE09004558h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 push ebx 0x00000055 jbe 00007FBE0900455Bh 0x0000005b mov ebx, 05DF6DA8h 0x00000060 pop ebx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 jmp 00007FBE0900455Dh 0x0000006a pop esi 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 528DB9 second address: 528DBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52AD05 second address: 52AD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE09004560h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531293 second address: 5312B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBE093BE2B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5343E4 second address: 5343EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534699 second address: 53469D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53469D second address: 5346A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5346A7 second address: 5346B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBE093BE2A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537B2D second address: 537B37 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBE09004556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537B37 second address: 537B51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537B51 second address: 537B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FBE0900455Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBE09004568h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A352 second address: 53A365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007FBE093BE2A6h 0x0000000c jng 00007FBE093BE2A6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A365 second address: 53A37D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FBE09004562h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A37D second address: 53A381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B9C3 second address: 53B9E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE09004568h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FBE09004556h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5414AA second address: 5414B1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D3771 second address: 4D3775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D3775 second address: 4D37B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2AAh 0x00000007 jmp 00007FBE093BE2B3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FBE093BE2B9h 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D37B7 second address: 4D37BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D37BB second address: 4D37C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D37C7 second address: 4D37CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540798 second address: 54079E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54079E second address: 5407A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5407A3 second address: 5407E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jg 00007FBE093BE2A6h 0x00000014 jmp 00007FBE093BE2AFh 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c jmp 00007FBE093BE2AEh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540AD5 second address: 540ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540D89 second address: 540D98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE093BE2ABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540D98 second address: 540D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540D9C second address: 540DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBE093BE2B3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540DBA second address: 540DCA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FBE09004556h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540DCA second address: 540DE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBE093BE2ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5412E8 second address: 5412EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5412EC second address: 541312 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBE093BE2BCh 0x00000008 jnp 00007FBE093BE2A6h 0x0000000e jmp 00007FBE093BE2B0h 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FBE093BE2A6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5440FD second address: 544101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 544101 second address: 54410C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54410C second address: 544111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 544111 second address: 54411C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FBE093BE2A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547462 second address: 547466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547466 second address: 547472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBE093BE2A6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5145A9 second address: 5145AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5145AE second address: 514646 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBE093BE2ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FBE093BE2A8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 jmp 00007FBE093BE2B0h 0x0000002c call 00007FBE093BE2B6h 0x00000031 mov dx, di 0x00000034 pop edx 0x00000035 lea eax, dword ptr [ebp+124842C5h] 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007FBE093BE2A8h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 push eax 0x00000056 jbe 00007FBE093BE2B0h 0x0000005c pushad 0x0000005d push esi 0x0000005e pop esi 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 514AB9 second address: 363B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBE0900455Ch 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FBE09004563h 0x00000011 nop 0x00000012 sub edi, 4D13E20Ch 0x00000018 push dword ptr [ebp+122D0525h] 0x0000001e or dword ptr [ebp+122D1DEEh], edi 0x00000024 call dword ptr [ebp+122D3A57h] 0x0000002a pushad 0x0000002b or dword ptr [ebp+122D32BFh], edx 0x00000031 jmp 00007FBE09004561h 0x00000036 xor eax, eax 0x00000038 jng 00007FBE0900455Dh 0x0000003e xor dword ptr [ebp+122D3958h], edi 0x00000044 mov edx, dword ptr [esp+28h] 0x00000048 jl 00007FBE09004557h 0x0000004e mov dword ptr [ebp+122D2DCBh], eax 0x00000054 sub dword ptr [ebp+122D32BFh], edx 0x0000005a mov esi, 0000003Ch 0x0000005f pushad 0x00000060 mov edi, 370E3A00h 0x00000065 mov bx, dx 0x00000068 popad 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d clc 0x0000006e mov dword ptr [ebp+122D1BEBh], eax 0x00000074 lodsw 0x00000076 add dword ptr [ebp+122D32BFh], eax 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 jns 00007FBE09004560h 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a jmp 00007FBE0900455Ch 0x0000008f nop 0x00000090 push ecx 0x00000091 push eax 0x00000092 push edx 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 514B6B second address: 514B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE093BE2ABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 514B7A second address: 363B90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE09004569h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f sub dword ptr [ebp+122D384Ah], edi 0x00000015 jne 00007FBE0900455Bh 0x0000001b popad 0x0000001c push dword ptr [ebp+122D0525h] 0x00000022 call 00007FBE09004560h 0x00000027 mov cx, bx 0x0000002a pop edi 0x0000002b jns 00007FBE09004559h 0x00000031 call dword ptr [ebp+122D3A57h] 0x00000037 pushad 0x00000038 or dword ptr [ebp+122D32BFh], edx 0x0000003e jmp 00007FBE09004561h 0x00000043 xor eax, eax 0x00000045 jng 00007FBE0900455Dh 0x0000004b xor dword ptr [ebp+122D3958h], edi 0x00000051 mov edx, dword ptr [esp+28h] 0x00000055 jl 00007FBE09004557h 0x0000005b stc 0x0000005c mov dword ptr [ebp+122D2DCBh], eax 0x00000062 sub dword ptr [ebp+122D32BFh], edx 0x00000068 mov esi, 0000003Ch 0x0000006d pushad 0x0000006e mov edi, 370E3A00h 0x00000073 mov bx, dx 0x00000076 popad 0x00000077 add esi, dword ptr [esp+24h] 0x0000007b clc 0x0000007c mov dword ptr [ebp+122D1BEBh], eax 0x00000082 lodsw 0x00000084 add dword ptr [ebp+122D32BFh], eax 0x0000008a add eax, dword ptr [esp+24h] 0x0000008e jns 00007FBE09004560h 0x00000094 mov ebx, dword ptr [esp+24h] 0x00000098 jmp 00007FBE0900455Ch 0x0000009d nop 0x0000009e push ecx 0x0000009f push eax 0x000000a0 push edx 0x000000a1 push eax 0x000000a2 push edx 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 514CC7 second address: 514CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 clc 0x00000008 mov dword ptr [ebp+122D362Dh], edx 0x0000000e call 00007FBE093BE2A9h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jns 00007FBE093BE2A6h 0x0000001c jnc 00007FBE093BE2A6h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 514CEE second address: 514CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 514CF5 second address: 514D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FBE093BE2B9h 0x0000000e jmp 00007FBE093BE2B8h 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007FBE093BE2B4h 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 514FFF second address: 515005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5151C9 second address: 5151D7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBE093BE2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 515559 second address: 51555F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51555F second address: 51557A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51557A second address: 515585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBE09004556h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 515991 second address: 515995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 515995 second address: 51599B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51599B second address: 5159A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547767 second address: 54776C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547A21 second address: 547A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547A27 second address: 547A33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547A33 second address: 547A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547A37 second address: 547A3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547A3B second address: 547A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547D0C second address: 547D16 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBE09004556h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547D16 second address: 547D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C89B second address: 54C89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C89F second address: 54C8B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C8B4 second address: 54C8D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBE09004556h 0x0000000a jmp 00007FBE09004566h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C8D4 second address: 54C8E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jg 00007FBE093BE2A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54CBB9 second address: 54CBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54CBBD second address: 54CBD4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007FBE093BE2A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jno 00007FBE093BE2A6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54CBD4 second address: 54CBE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push edx 0x0000000e jl 00007FBE09004556h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0DA second address: 54D0E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0E0 second address: 54D100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE0900455Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBE0900455Ah 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D100 second address: 54D106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D106 second address: 54D10E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D10E second address: 54D12C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBE093BE2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007FBE093BE2A6h 0x00000011 jbe 00007FBE093BE2A6h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D2E3 second address: 54D2E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D2E9 second address: 54D306 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBE093BE2B5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D306 second address: 54D310 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBE09004556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D310 second address: 54D324 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBE093BE2A8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FBE093BE2A6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D324 second address: 54D328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D497 second address: 54D4BF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBE093BE2A6h 0x00000008 jmp 00007FBE093BE2AAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FBE093BE2B4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D4BF second address: 54D4DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE09004566h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D4DB second address: 54D50B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBE093BE2ABh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jbe 00007FBE093BE2B2h 0x00000016 jnl 00007FBE093BE2A6h 0x0000001c jbe 00007FBE093BE2A6h 0x00000022 jbe 00007FBE093BE2AEh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D80E second address: 54D841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBE09004556h 0x0000000a jmp 00007FBE0900455Dh 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007FBE0900455Ch 0x00000019 jno 00007FBE09004556h 0x0000001f jmp 00007FBE0900455Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55220A second address: 552234 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBE093BE2AEh 0x00000008 pushad 0x00000009 jmp 00007FBE093BE2B5h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5523FD second address: 552413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE09004562h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552413 second address: 552424 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007FBE093BE2A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552424 second address: 552429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552A9D second address: 552AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551F54 second address: 551F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007FBE09004556h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552EDC second address: 552EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBE093BE2A6h 0x0000000a pop ebx 0x0000000b jnc 00007FBE093BE2B2h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552EFF second address: 552F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55A865 second address: 55A86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55A86B second address: 55A880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBE0900455Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55A419 second address: 55A456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FBE093BE2B8h 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e popad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FBE093BE2A6h 0x00000018 jmp 00007FBE093BE2B2h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55A456 second address: 55A45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55A5AC second address: 55A5B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55A5B2 second address: 55A5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55A5B7 second address: 55A5C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FBE093BE2A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55D6E3 second address: 55D703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE09004562h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FBE09004556h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55D703 second address: 55D707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55D707 second address: 55D70B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55D0F2 second address: 55D0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55D252 second address: 55D266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBE0900455Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55D3DA second address: 55D3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55D3E0 second address: 55D3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C116C second address: 4C1196 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FBE093BE2AFh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C1196 second address: 4C11A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C11A3 second address: 4C11A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562C90 second address: 562C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562C94 second address: 562CB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562CB3 second address: 562CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562CB9 second address: 562CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562CBD second address: 562CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562CC8 second address: 562CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562CCE second address: 562CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562CD7 second address: 562CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 562FAB second address: 562FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jnl 00007FBE09004556h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop eax 0x00000011 pushad 0x00000012 jnc 00007FBE0900455Ah 0x00000018 push eax 0x00000019 pop eax 0x0000001a push edx 0x0000001b pop edx 0x0000001c push esi 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FBE09004566h 0x00000024 pop esi 0x00000025 push ebx 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56356E second address: 56358D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FBE093BE2B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56358D second address: 5635E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jmp 00007FBE09004563h 0x0000000e popad 0x0000000f pushad 0x00000010 push esi 0x00000011 jmp 00007FBE09004569h 0x00000016 pop esi 0x00000017 push ebx 0x00000018 jmp 00007FBE09004568h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5635E1 second address: 56360B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FBE093BE2B4h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jo 00007FBE093BE2A6h 0x00000017 push esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 568DF2 second address: 568E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBE09004556h 0x0000000a jng 00007FBE09004556h 0x00000010 popad 0x00000011 jmp 00007FBE09004564h 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007FBE09004556h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 568E21 second address: 568E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 568540 second address: 568546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 568546 second address: 568572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBE093BE2B6h 0x0000000b jmp 00007FBE093BE2AEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 568572 second address: 56857B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56857B second address: 56857F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56857F second address: 5685A1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBE09004556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBE09004564h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56E718 second address: 56E724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBE093BE2A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D1E4 second address: 56D1E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D36F second address: 56D37B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBE093BE2A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D37B second address: 56D385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D385 second address: 56D38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D4AB second address: 56D4B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D4B1 second address: 56D4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBE093BE2A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D4BB second address: 56D4CD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBE09004556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D4CD second address: 56D4D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D4D3 second address: 56D4DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBE09004556h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56D4DD second address: 56D4E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5153CA second address: 5153CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5153CF second address: 515410 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBE093BE2A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FBE093BE2AFh 0x00000010 nop 0x00000011 sub edx, 4AC11B37h 0x00000017 mov dx, 49C1h 0x0000001b mov ebx, dword ptr [ebp+12484304h] 0x00000021 mov dword ptr [ebp+122D1B63h], esi 0x00000027 add eax, ebx 0x00000029 push eax 0x0000002a jl 00007FBE093BE2B0h 0x00000030 pushad 0x00000031 push ebx 0x00000032 pop ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56E44E second address: 56E454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56E454 second address: 56E463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE093BE2ABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 574AB1 second address: 574AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 574F67 second address: 574F6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575840 second address: 57585D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBE0900455Fh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57585D second address: 575861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575861 second address: 575876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE0900455Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575876 second address: 57587A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57587A second address: 575896 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE09004566h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575896 second address: 5758AA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FBE093BE2A6h 0x0000000b pop ebx 0x0000000c jnl 00007FBE093BE2ACh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57676C second address: 576772 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576772 second address: 576781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576781 second address: 5767A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007FBE09004556h 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FBE0900455Fh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 js 00007FBE09004556h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57EE5D second address: 57EE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE093BE2ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E33D second address: 57E371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBE09004556h 0x0000000a jmp 00007FBE0900455Ch 0x0000000f jmp 00007FBE09004565h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007FBE09004556h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E371 second address: 57E385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E4CC second address: 57E50B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FBE0900455Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 jo 00007FBE09004556h 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FBE09004560h 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 je 00007FBE0900455Eh 0x0000002c push ebx 0x0000002d pop ebx 0x0000002e jnl 00007FBE09004556h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E678 second address: 57E67C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E67C second address: 57E681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E7B6 second address: 57E7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E8DD second address: 57E8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FBE0900455Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E8F3 second address: 57E8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E8FE second address: 57E904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5865F5 second address: 5865F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5865F9 second address: 5865FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5865FF second address: 586605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 586605 second address: 58661B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBE09004558h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FBE09004558h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5847FA second address: 584807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007FBE093BE2A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 584807 second address: 584814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FBE0900455Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58497F second address: 584983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 584983 second address: 584991 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FBE0900455Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 584991 second address: 584995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 584995 second address: 5849BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FBE09004568h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5849BD second address: 5849C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 584C56 second address: 584C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE09004567h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58536D second address: 585377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBE093BE2A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 585377 second address: 585394 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jmp 00007FBE0900455Ah 0x0000000f pop ecx 0x00000010 push eax 0x00000011 jno 00007FBE09004556h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 585394 second address: 585399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 590DFA second address: 590E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 590E03 second address: 590E07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C2C70 second address: 4C2C9F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBE09004556h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FBE09004568h 0x00000014 jnc 00007FBE09004556h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C2C9F second address: 4C2CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C2CA7 second address: 4C2CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBE09004556h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C2CB8 second address: 4C2CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59DC66 second address: 59DC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007FBE09004562h 0x0000000b popad 0x0000000c jo 00007FBE0900457Fh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59DE2C second address: 59DE30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A19AF second address: 5A19B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A19B3 second address: 5A19DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 jmp 00007FBE093BE2ACh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jmp 00007FBE093BE2B3h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A19DF second address: 5A19E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A1391 second address: 5A1397 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A1397 second address: 5A13AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE0900455Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A1514 second address: 5A153A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBE093BE2A6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push edx 0x0000000e jno 00007FBE093BE2B2h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8EDC second address: 5A8EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FBE0900455Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8EF0 second address: 5A8EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8EFC second address: 5A8F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8F00 second address: 5A8F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8F04 second address: 5A8F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8F11 second address: 5A8F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8F16 second address: 5A8F1B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8D82 second address: 5A8D93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE093BE2ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B15C4 second address: 5B15C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B15C8 second address: 5B15CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B3C6E second address: 5B3C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FBE09004556h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B3C7A second address: 5B3C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B3C7E second address: 5B3C82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B52FD second address: 5B5303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B7620 second address: 5B762A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBE09004556h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B762A second address: 5B763D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B763D second address: 5B765B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBE09004569h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B765B second address: 5B7660 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC405 second address: 5BC40B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC40B second address: 5BC40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC581 second address: 5BC5B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE09004560h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FBE09004572h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC5B9 second address: 5BC5D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBE093BE2B1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC5D0 second address: 5BC5D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC72C second address: 5BC732 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC732 second address: 5BC73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC73E second address: 5BC742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BC8C3 second address: 5BC904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007FBE09004556h 0x0000000e pop edi 0x0000000f jmp 00007FBE09004569h 0x00000014 pushad 0x00000015 jmp 00007FBE09004566h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BCA8B second address: 5BCAAC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007FBE093BE2A6h 0x00000009 jmp 00007FBE093BE2AFh 0x0000000e pop ecx 0x0000000f jo 00007FBE093BE2ACh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BCDDC second address: 5BCDE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BCDE2 second address: 5BCDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FBE093BE2AEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BD99F second address: 5BD9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BD9AA second address: 5BD9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C13E6 second address: 5C13F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FBE0900455Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C13F7 second address: 5C1403 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBE093BE2AEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C1403 second address: 5C140B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CAFDA second address: 5CAFDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF413 second address: 5DF43D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE09004567h 0x00000009 jmp 00007FBE0900455Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF43D second address: 5DF45C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF45C second address: 5DF462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF462 second address: 5DF46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF46F second address: 5DF473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF473 second address: 5DF4AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FBE093BE2A6h 0x00000011 jmp 00007FBE093BE2B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E1042 second address: 5E1048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E1048 second address: 5E105D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBE093BE2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jbe 00007FBE093BE2A6h 0x00000011 pop esi 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9DD4 second address: 5F9DDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9DDA second address: 5F9DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9DE0 second address: 5F9DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE09004564h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9DFA second address: 5F9E24 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBE093BE2A6h 0x00000008 jmp 00007FBE093BE2B5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007FBE093BE2A6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9E24 second address: 5F9E2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9E2E second address: 5F9E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE093BE2AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9E41 second address: 5F9E60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE09004561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FBE09004556h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA001 second address: 5FA01C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B0h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA01C second address: 5FA03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBE09004569h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA03C second address: 5FA042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA042 second address: 5FA046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA1D9 second address: 5FA1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA1DE second address: 5FA1F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBE09004565h 0x00000008 jmp 00007FBE0900455Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA1F9 second address: 5FA217 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBE093BE2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FBE093BE2ACh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA5E3 second address: 5FA5E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA5E7 second address: 5FA5FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007FBE093BE2A6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FBE093BE2A8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA5FF second address: 5FA619 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBE09004565h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA79B second address: 5FA7A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA7A1 second address: 5FA7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBE0900455Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA7B7 second address: 5FA7D0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBE093BE2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FBE093BE2ACh 0x00000013 js 00007FBE093BE2A6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FEF6A second address: 5FEF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF2D8 second address: 5FF2DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF2DE second address: 5FF2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF2E2 second address: 5FF2F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FBE093BE2A6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF2F8 second address: 5FF2FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF2FC second address: 5FF302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF302 second address: 5FF308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF535 second address: 5FF565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 sub edx, dword ptr [ebp+122D2D8Fh] 0x0000000c sbb edx, 71100ADBh 0x00000012 push dword ptr [ebp+1244D39Eh] 0x00000018 mov edx, dword ptr [ebp+122D1A00h] 0x0000001e push 25A54E9Dh 0x00000023 pushad 0x00000024 push eax 0x00000025 pushad 0x00000026 popad 0x00000027 pop eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jg 00007FBE093BE2A6h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF565 second address: 5FF569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60096D second address: 600971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600971 second address: 60098C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBE09004561h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60281A second address: 60281E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511003C second address: 5110077 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBE09004560h 0x00000008 sub eax, 062FA1B8h 0x0000000e jmp 00007FBE0900455Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov esi, 01B275EFh 0x0000001b popad 0x0000001c mov ecx, dword ptr [eax+00000FDCh] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ecx, edx 0x00000027 push ebx 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5110077 second address: 5110086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE093BE2ABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5110086 second address: 511008A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511008A second address: 51100E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a pushad 0x0000000b mov bh, 77h 0x0000000d push esi 0x0000000e pushfd 0x0000000f jmp 00007FBE093BE2B3h 0x00000014 add esi, 3045BD8Eh 0x0000001a jmp 00007FBE093BE2B9h 0x0000001f popfd 0x00000020 pop ecx 0x00000021 popad 0x00000022 jns 00007FBE093BE314h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FBE093BE2AAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51100E0 second address: 511014E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add eax, ecx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FBE0900455Fh 0x00000014 adc eax, 583AA84Eh 0x0000001a jmp 00007FBE09004569h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FBE09004560h 0x00000026 adc ecx, 605C24C8h 0x0000002c jmp 00007FBE0900455Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov eax, dword ptr [eax+00000860h] 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 511014E second address: 5110169 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE093BE2B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5110169 second address: 5110217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBE0900455Fh 0x00000009 add ecx, 01CE706Eh 0x0000000f jmp 00007FBE09004569h 0x00000014 popfd 0x00000015 mov eax, 747B0DF7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d test eax, eax 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FBE09004568h 0x00000026 jmp 00007FBE09004565h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007FBE09004560h 0x00000032 sbb eax, 051DD978h 0x00000038 jmp 00007FBE0900455Bh 0x0000003d popfd 0x0000003e popad 0x0000003f je 00007FBE7A82B0BBh 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FBE09004565h 0x0000004c rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 363BDB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3614E6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 52D8DA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 363B07 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 363B01 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 592DFC instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5060 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2189647979.00000000004E5000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2190498715.000000000134F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190378454.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189376539.000000000134F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2190498715.000000000134F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189376539.000000000134F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: file.exe, 00000000.00000002.2189647979.00000000004E5000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00345BB0 LdrInitializeThunk, 0_2_00345BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: spirittunek.stor
Source: file.exe String found in binary or memory: bathdoomgaz.stor
Source: file.exe String found in binary or memory: studennotediw.stor
Source: file.exe String found in binary or memory: dissapoiznw.stor
Source: file.exe String found in binary or memory: eaglepawnoy.stor
Source: file.exe String found in binary or memory: mobbipenju.stor
Source: file.exe, file.exe, 00000000.00000002.2189647979.00000000004E5000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: {Program Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526551 Sample: file.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 10 licendfilteo.site 2->10 12 clearancek.site 2->12 14 8 other IPs or domains 2->14 18 Multi AV Scanner detection for domain / URL 2->18 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 10 other signatures 2->24 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 steamcommunity.com 104.102.49.254, 443, 49711 AKAMAI-ASUS United States 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->28 30 Tries to evade debugger and weak emulator (self modifying code) 6->30 32 4 other signatures 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
feelystroll.buzz unknown unknown
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
studennotediw.stor true
    		unknown
    mobbipenju.stor true
      		unknown
      https://steamcommunity.com/profiles/76561199724331900 true
      • URL Reputation: malware
      		 unknown
      bathdoomgaz.stor true
        		unknown
        dissapoiznw.stor true
          		unknown
          spirittunek.stor true
            		unknown
            eaglepawnoy.stor true
              		unknown
              clearancek.site true
                		unknown
                licendfilteo.site true
                  		unknown