Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1526564
MD5: ac789b4838922466f1437f6e440dc4a3
SHA1: 97fc5c2cdbe860263e156b840ace62149fca84d8
SHA256: 074ee51d9bc6abc3f6c43925201998cdcb801413fc80cde720e493a0dc0e6dd5
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: file.exe.1352.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "bathdoomgaz.stor", "eaglepawnoy.stor", "studennotediw.stor", "dissapoiznw.stor", "mobbipenju.stor", "spirittunek.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for domain / URL
Source: https://steamcommunity.com:443/profiles/76561199724331900 Virustotal: Detection: 8% Perma Link
Source: https://licendfilteo.site:443/api Virustotal: Detection: 11% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.stor
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.stor
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.stor
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.stor
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1813421570.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E50FA
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001AD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001AD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_001E63B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_001E695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_001E99D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_001AFCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_001B0EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_001A1000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_001DF030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_001B6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_001E4040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_001E6094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_001CD1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_001C2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_001C2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_001B42FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_001AA300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_001BB410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_001CE40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_001BD457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_001E1440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_001CC470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_001E64B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_001C9510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_001B6536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_001E7520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_001DB650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_001CE66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_001E7710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E5700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_001CD7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_001E67EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_001C28E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_001E3920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_001BD961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_001A49A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_001B1A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_001A5A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_001E4A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_001B1ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_001BDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_001BDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_001E9B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_001D0B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_001B1BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_001B3BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_001C7C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_001DFC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_001CEC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_001CAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_001CAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_001CCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001CCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_001CCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_001E9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_001CFD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_001CDD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E8D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_001B4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_001CAE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001C5E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_001C7E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_001B1E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_001B6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_001ABEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_001A6EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001DFF70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_001C9F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_001B6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_001BFFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_001E5FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_001A8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_001E7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E7FC0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:65185 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:60052 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:62983 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:58555 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:56921 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:63107 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:58423 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:56876 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: bathdoomgaz.stor
Source: Malware configuration extractor URLs: eaglepawnoy.stor
Source: Malware configuration extractor URLs: studennotediw.stor
Source: Malware configuration extractor URLs: dissapoiznw.stor
Source: Malware configuration extractor URLs: mobbipenju.stor
Source: Malware configuration extractor URLs: spirittunek.stor
Source: Malware configuration extractor URLs: licendfilteo.site
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sensatinwu.buzz
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sensatinwu.buzz
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sensatinwu.buzz
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812846129.000000000103E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812846129.000000000103E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812846129.000000000103E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fF
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.&
Source: file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sK
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.1813045734.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815851267.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/apij
Source: file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1813045734.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815851267.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1812736354.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813197895.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812874348.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816020866.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816020866.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sensatinwu.buzz/
Source: file.exe, 00000000.00000003.1813045734.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813197895.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815851267.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816020866.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sensatinwu.buzz/api
Source: file.exe, 00000000.00000003.1812736354.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813197895.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816020866.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sensatinwu.buzz/api(Q
Source: file.exe, 00000000.00000003.1812736354.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813197895.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816020866.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sensatinwu.buzz/pi
Source: file.exe, 00000000.00000003.1813045734.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815851267.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sensatinwu.buzz:443/apibcryptPrimitives.dll(
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1813045734.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815851267.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812846129.000000000103E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1813045734.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815851267.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/Z
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1812874348.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.0000000001026000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812846129.000000000103E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813045734.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1812861155.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812686642.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816814540.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1813045734.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815851267.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/apiI
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1812650614.0000000001032000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1813045734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000001016000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B0228 0_2_001B0228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A1000 0_2_001A1000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B2030 0_2_001B2030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E4040 0_2_001E4040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001EA0D0 0_2_001EA0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A5160 0_2_001A5160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002991B4 0_2_002991B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AE1A0 0_2_001AE1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A71F0 0_2_001A71F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004581AA 0_2_004581AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004581B4 0_2_004581B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D82D0 0_2_001D82D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D12D0 0_2_001D12D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A12F7 0_2_001A12F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AA300 0_2_001AA300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0021138F 0_2_0021138F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A13A3 0_2_001A13A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AB3A0 0_2_001AB3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D23E0 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00360470 0_2_00360470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CC470 0_2_001CC470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B049B 0_2_001B049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B4487 0_2_001B4487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036548E 0_2_0036548E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D64F0 0_2_001D64F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A35B0 0_2_001A35B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00255597 0_2_00255597
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001BC5F0 0_2_001BC5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001DF620 0_2_001DF620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E8652 0_2_001E8652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A164F 0_2_001A164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E86F0 0_2_001E86F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00453701 0_2_00453701
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0035981F 0_2_0035981F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D1860 0_2_001D1860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001DE8A0 0_2_001DE8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001DB8C0 0_2_001DB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0035E943 0_2_0035E943
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001C098B 0_2_001C098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00368995 0_2_00368995
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E89A0 0_2_001E89A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003679EC 0_2_003679EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E4A40 0_2_001E4A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E8A80 0_2_001E8A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E7AB0 0_2_001E7AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00363B17 0_2_00363B17
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001BDB6F 0_2_001BDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A7BF0 0_2_001A7BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E8C02 0_2_001E8C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00357CBB 0_2_00357CBB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E6CBF 0_2_001E6CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CCCD0 0_2_001CCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CFD10 0_2_001CFD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CDD29 0_2_001CDD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001C8D62 0_2_001C8D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B4E2A 0_2_001B4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CAE57 0_2_001CAE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0035CE57 0_2_0035CE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E8E70 0_2_001E8E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B6EBF 0_2_001B6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001ABEB0 0_2_001ABEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AAF10 0_2_001AAF10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A8FD0 0_2_001A8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E7FC0 0_2_001E7FC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 001BD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 001ACAA0 appears 48 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994907693894389
Source: file.exe Static PE information: Section: ezfjqhpg ZLIB complexity 0.9938586682930607
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@11/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D8220 CoCreateInstance, 0_2_001D8220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: file.exe Static file information: File size 1823232 > 1048576
Source: file.exe Static PE information: Raw size of ezfjqhpg is bigger than: 0x100000 < 0x193800

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.1a0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ezfjqhpg:EW;piwvgdex:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ezfjqhpg:EW;piwvgdex:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1ca1d8 should be: 0x1bff3c
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: ezfjqhpg
Source: file.exe Static PE information: section name: piwvgdex
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003DE04C push 771E57FFh; mov dword ptr [esp], edi 0_2_003DE082
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044D0DD push 374DD89Ch; mov dword ptr [esp], eax 0_2_0044D0EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045C0EC push edi; mov dword ptr [esp], 5D60DC9Dh 0_2_0045C651
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004160FC push ebp; mov dword ptr [esp], ecx 0_2_00416100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003910E7 push ebp; mov dword ptr [esp], edx 0_2_00391109
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0039C0DA push 105EC7E8h; mov dword ptr [esp], ebx 0_2_0039C131
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0039C0DA push eax; mov dword ptr [esp], ecx 0_2_0039C189
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003920C9 push 40C8A6A3h; mov dword ptr [esp], esi 0_2_003920BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003920C9 push ebp; mov dword ptr [esp], ecx 0_2_003920E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003920C9 push ebx; mov dword ptr [esp], 7DFF2E26h 0_2_0039244C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003920C9 push 05527B9Bh; mov dword ptr [esp], ecx 0_2_00392462
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0046C171 push edx; mov dword ptr [esp], eax 0_2_0046C1B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003DD17E push edx; mov dword ptr [esp], 7FB7FF61h 0_2_003DD1B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003DD17E push eax; mov dword ptr [esp], edx 0_2_003DD203
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062C102 push 25B8905Eh; mov dword ptr [esp], ebx 0_2_0062C121
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062C102 push edi; mov dword ptr [esp], edx 0_2_0062C187
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D121 push ecx; mov dword ptr [esp], edx 0_2_0040D164
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00485139 push ebx; mov dword ptr [esp], edi 0_2_0048513D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00485139 push esi; mov dword ptr [esp], 7FFC9929h 0_2_00485159
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00485139 push 3EF85FADh; mov dword ptr [esp], ecx 0_2_004851D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004341DA push ecx; mov dword ptr [esp], 5254969Dh 0_2_00434204
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002991B4 push edx; mov dword ptr [esp], edi 0_2_00299239
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002991B4 push 410F542Ah; mov dword ptr [esp], edx 0_2_00299380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002991B4 push edx; mov dword ptr [esp], 5DFFCCBCh 0_2_002993A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062C1B3 push esi; mov dword ptr [esp], edi 0_2_0062C1B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062C1B3 push edx; mov dword ptr [esp], 7F7F8412h 0_2_0062C1D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062C1B3 push edi; mov dword ptr [esp], ecx 0_2_0062C1EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062C1B3 push 1ADF79B3h; mov dword ptr [esp], edx 0_2_0062C2C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004161AF push edx; mov dword ptr [esp], ecx 0_2_004161B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004161AF push 7CDCD179h; mov dword ptr [esp], ebp 0_2_004161FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004581AA push edx; mov dword ptr [esp], ebx 0_2_0045849D
Source: file.exe Static PE information: section name: entropy: 7.978710446995474
Source: file.exe Static PE information: section name: ezfjqhpg entropy: 7.953552456980984

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36E423 second address: 36E42F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F2FF4BC0FB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36E6DF second address: 36E6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36E6E5 second address: 36E70D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F2FF4BC0FC3h 0x00000008 jbe 00007F2FF4BC0FB6h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jo 00007F2FF4BC0FCBh 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 371FDF second address: 371FE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 371FE6 second address: 372049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov si, 29CEh 0x0000000c push 00000000h 0x0000000e sub dword ptr [ebp+122D2EC4h], edi 0x00000014 push eax 0x00000015 mov edi, dword ptr [ebp+122D1AD4h] 0x0000001b pop edi 0x0000001c call 00007F2FF4BC0FB9h 0x00000021 jne 00007F2FF4BC0FCDh 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007F2FF4BC0FCEh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372049 second address: 372095 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2FF4F875F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F2FF4F875FFh 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007F2FF4F87609h 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F2FF4F875FCh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372095 second address: 37214E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F2FF4BC0FBAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e jbe 00007F2FF4BC0FBCh 0x00000014 mov dword ptr [ebp+122D1C09h], ebx 0x0000001a push 00000003h 0x0000001c pushad 0x0000001d mov eax, ecx 0x0000001f jne 00007F2FF4BC0FC4h 0x00000025 popad 0x00000026 push 00000000h 0x00000028 mov edx, 677C65A1h 0x0000002d push 00000003h 0x0000002f mov dword ptr [ebp+122D2EC4h], edi 0x00000035 xor edx, 1A1C6ED0h 0x0000003b push 78B8D70Eh 0x00000040 jmp 00007F2FF4BC0FC1h 0x00000045 add dword ptr [esp], 474728F2h 0x0000004c mov di, 6EE6h 0x00000050 lea ebx, dword ptr [ebp+12441E4Bh] 0x00000056 push 00000000h 0x00000058 push edx 0x00000059 call 00007F2FF4BC0FB8h 0x0000005e pop edx 0x0000005f mov dword ptr [esp+04h], edx 0x00000063 add dword ptr [esp+04h], 0000001Bh 0x0000006b inc edx 0x0000006c push edx 0x0000006d ret 0x0000006e pop edx 0x0000006f ret 0x00000070 push edi 0x00000071 mov edi, dword ptr [ebp+122D3754h] 0x00000077 pop esi 0x00000078 xchg eax, ebx 0x00000079 pushad 0x0000007a push edi 0x0000007b jmp 00007F2FF4BC0FC1h 0x00000080 pop edi 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37214E second address: 372152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372152 second address: 372156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372156 second address: 372170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F2FF4F875FAh 0x00000011 popad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3721A1 second address: 3721A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372296 second address: 3722A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F875FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3723F3 second address: 372440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F2FF4BC0FC3h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F2FF4BC0FC6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372440 second address: 372470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2FF4F875FFh 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2FF4F87606h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372470 second address: 37249B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F2FF4BC0FB8h 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37249B second address: 3724B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F875FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F2FF4F875F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3724B6 second address: 372510 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b cld 0x0000000c lea ebx, dword ptr [ebp+12441E5Fh] 0x00000012 jmp 00007F2FF4BC0FBDh 0x00000017 mov edx, dword ptr [ebp+122D397Ch] 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F2FF4BC0FBCh 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F2FF4BC0FC5h 0x0000002c jnp 00007F2FF4BC0FB6h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372510 second address: 372516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372516 second address: 37251A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3918DB second address: 3918F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2FF4F875F6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2FF4F875FEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3918F8 second address: 39190A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39190A second address: 391910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 391910 second address: 391914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 391914 second address: 39191A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39191A second address: 391924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 391924 second address: 39192A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39192A second address: 39192E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39192E second address: 391932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 391932 second address: 391938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35E437 second address: 35E448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F875FDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38FFC2 second address: 38FFE0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2FF4BC0FB6h 0x00000008 jmp 00007F2FF4BC0FC4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38FFE0 second address: 38FFEA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2FF4F875FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39016B second address: 39017A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007F2FF4BC0FBAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39045D second address: 390496 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2FF4F875F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2FF4F875FBh 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007F2FF4F87607h 0x0000001a jng 00007F2FF4F875F6h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3905ED second address: 3905F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3905F1 second address: 39060E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F875FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F2FF4F875F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39060E second address: 390612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 390612 second address: 390632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2FF4F87608h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 366A0B second address: 366A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 366A11 second address: 366A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 366A15 second address: 366A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 366A1B second address: 366A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F2FF4F875F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 366A25 second address: 366A29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3912B0 second address: 3912B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3912B4 second address: 3912F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F2FF4BC0FD1h 0x0000000f push ebx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 391480 second address: 391484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 391484 second address: 391493 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39645A second address: 396479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007F2FF4F87609h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3965B9 second address: 3965C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3965C6 second address: 3965D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F875FCh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394EA8 second address: 394EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 396730 second address: 396736 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 359358 second address: 35935D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39C991 second address: 39C997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39C997 second address: 39C99B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39C99B second address: 39C9A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39C9A7 second address: 39C9AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CB13 second address: 39CB47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87608h 0x00000007 jmp 00007F2FF4F87608h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CCC3 second address: 39CCC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CCC7 second address: 39CCD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CCD1 second address: 39CCD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CCD5 second address: 39CCD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CCD9 second address: 39CD04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F2FF4BC0FB8h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F2FF4BC0FC5h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CD04 second address: 39CD12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F2FF4F875FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CD12 second address: 39CD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CD1B second address: 39CD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1320 second address: 3A1326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1519 second address: 3A1527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F2FF4F875F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A17C8 second address: 3A17E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A18B0 second address: 3A18C2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2FF4F875F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A18C2 second address: 3A18D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1982 second address: 3A1999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2FF4F87600h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1F99 second address: 3A1FA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F2FF4BC0FB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A226A second address: 3A226E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2312 second address: 3A2335 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2335 second address: 3A233A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A25B6 second address: 3A25C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2FF4BC0FB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A25C1 second address: 3A25C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A355B second address: 3A3593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 push edx 0x00000009 movzx esi, ax 0x0000000c pop edi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F2FF4BC0FB8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b movsx edi, cx 0x0000002e xchg eax, ebx 0x0000002f push ecx 0x00000030 push ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3593 second address: 3A35B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2FF4F87607h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A35B3 second address: 3A35BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F2FF4BC0FB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 361AA0 second address: 361AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A6099 second address: 3A60A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2FF4BC0FB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 361AA4 second address: 361AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A97E6 second address: 3A984A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 jmp 00007F2FF4BC0FC2h 0x0000000d pop edi 0x0000000e nop 0x0000000f mov dword ptr [ebp+1247786Ah], ecx 0x00000015 push 00000000h 0x00000017 mov si, 0D70h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F2FF4BC0FB8h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 clc 0x00000038 xchg eax, ebx 0x00000039 jmp 00007F2FF4BC0FBFh 0x0000003e push eax 0x0000003f jp 00007F2FF4BC0FC8h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A95A7 second address: 3A95C9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2FF4F875F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F2FF4F87605h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A984A second address: 3A984E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AC070 second address: 3AC077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AC077 second address: 3AC07C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AC07C second address: 3AC082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF64D second address: 3AF651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE6E9 second address: 3AE6ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF84B second address: 3AF855 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2FF4BC0FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE6ED second address: 3AE6F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF855 second address: 3AF871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2FF4BC0FC7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF871 second address: 3AF87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1834 second address: 3B1841 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF87F second address: 3AF885 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1841 second address: 3B189A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F2FF4BC0FC7h 0x0000000c popad 0x0000000d nop 0x0000000e add dword ptr [ebp+122DB3C0h], esi 0x00000014 push 00000000h 0x00000016 sub dword ptr [ebp+122D2B2Eh], edx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F2FF4BC0FB8h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 clc 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jnp 00007F2FF4BC0FB6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B189A second address: 3B18A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1A7B second address: 3B1A85 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2FF4BC0FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B39BF second address: 3B39C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B39C4 second address: 3B3A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F2FF4BC0FB8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov bx, 2C00h 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov bl, cl 0x00000031 mov bh, 7Fh 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov ebx, ecx 0x0000003c mov eax, dword ptr [ebp+122D14A1h] 0x00000042 adc edi, 24B9348Eh 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push ecx 0x0000004d call 00007F2FF4BC0FB8h 0x00000052 pop ecx 0x00000053 mov dword ptr [esp+04h], ecx 0x00000057 add dword ptr [esp+04h], 00000018h 0x0000005f inc ecx 0x00000060 push ecx 0x00000061 ret 0x00000062 pop ecx 0x00000063 ret 0x00000064 jns 00007F2FF4BC0FB8h 0x0000006a nop 0x0000006b pushad 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B3A46 second address: 3B3A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F2FF4F87601h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B57AE second address: 3B57BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B698A second address: 3B69D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movzx edi, di 0x0000000e adc edi, 6E5B634Bh 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F2FF4F875F8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 xor edi, 3987B771h 0x00000036 push 00000000h 0x00000038 mov ebx, dword ptr [ebp+122D37A4h] 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B69D2 second address: 3B69D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B69D6 second address: 3B69E0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2FF4F875F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B59C3 second address: 3B59C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B59C9 second address: 3B59D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2FF4F875F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B78CE second address: 3B78D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F2FF4BC0FB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B8A09 second address: 3B8A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B8AED second address: 3B8AF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B8C16 second address: 3B8C1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B8C1C second address: 3B8C34 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2FF4BC0FB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jp 00007F2FF4BC0FB6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B8C34 second address: 3B8C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B8C39 second address: 3B8C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B9D52 second address: 3B9D58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B9D58 second address: 3B9D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBC81 second address: 3BBC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2FF4F875F6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jp 00007F2FF4F875FCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBC97 second address: 3BBC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BAC9D second address: 3BAD09 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2FF4F875FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov di, 5B73h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 or edi, dword ptr [ebp+12461F6Dh] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov ebx, dword ptr [ebp+122D2B24h] 0x0000002b mov eax, dword ptr [ebp+122D06D9h] 0x00000031 movzx edi, di 0x00000034 push FFFFFFFFh 0x00000036 call 00007F2FF4F875FDh 0x0000003b call 00007F2FF4F875FEh 0x00000040 mov edi, dword ptr [ebp+122D2D57h] 0x00000046 pop ebx 0x00000047 pop edi 0x00000048 nop 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F2FF4F875FAh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BAD09 second address: 3BAD30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2FF4BC0FBBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BCC50 second address: 3BCC6A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2FF4F875F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F2FF4F875FCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BCC6A second address: 3BCC7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2FF4BC0FBFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBDEF second address: 3BBDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBDF4 second address: 3BBE9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F2FF4BC0FC7h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F2FF4BC0FB8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov ebx, esi 0x0000002a push dword ptr fs:[00000000h] 0x00000031 or dword ptr [ebp+122D2A79h], edx 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F2FF4BC0FB8h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 or dword ptr [ebp+122D2A79h], edi 0x0000005e mov eax, dword ptr [ebp+122D0161h] 0x00000064 mov bx, di 0x00000067 push FFFFFFFFh 0x00000069 jl 00007F2FF4BC0FCDh 0x0000006f jmp 00007F2FF4BC0FC7h 0x00000074 push eax 0x00000075 push ecx 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BCE0E second address: 3BCE14 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BDD69 second address: 3BDD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BDD6D second address: 3BDD73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BDD73 second address: 3BDD78 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C4505 second address: 3C452F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2FF4F875F6h 0x00000008 jmp 00007F2FF4F875FAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F2FF4F87606h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C7123 second address: 3C713E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jg 00007F2FF4BC0FC0h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C713E second address: 3C7143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C7143 second address: 3C715A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F2FF4BC0FC0h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CA0CB second address: 3CA0DE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2FF4F875F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D2412 second address: 3D246C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2FF4BC0FB6h 0x0000000a jmp 00007F2FF4BC0FC3h 0x0000000f popad 0x00000010 je 00007F2FF4BC0FC9h 0x00000016 push edx 0x00000017 pop edx 0x00000018 jmp 00007F2FF4BC0FC1h 0x0000001d push eax 0x0000001e jnc 00007F2FF4BC0FB6h 0x00000024 jne 00007F2FF4BC0FB6h 0x0000002a pop eax 0x0000002b popad 0x0000002c push edi 0x0000002d pushad 0x0000002e push edx 0x0000002f pop edx 0x00000030 jmp 00007F2FF4BC0FBCh 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1800 second address: 3D1810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jl 00007F2FF4F875F6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1810 second address: 3D1816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1816 second address: 3D181A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1C7C second address: 3D1CAF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2FF4BC0FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F2FF4BC0FBAh 0x00000010 jmp 00007F2FF4BC0FC9h 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1CAF second address: 3D1CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1E39 second address: 3D1E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1E40 second address: 3D1E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1E46 second address: 3D1E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1E4C second address: 3D1E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1F9D second address: 3D1FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1FA1 second address: 3D1FB3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jp 00007F2FF4F875F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D210B second address: 3D2111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D2299 second address: 3D229D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D229D second address: 3D22A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6373 second address: 3D6389 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2FF4F875F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F2FF4F875F6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D64D3 second address: 3D64E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D64E1 second address: 3D64E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D64E7 second address: 3D64ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D606A second address: 3D6072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6E11 second address: 3D6E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D7486 second address: 3D749E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jnp 00007F2FF4F8761Dh 0x0000000d push ecx 0x0000000e jnp 00007F2FF4F875F6h 0x00000014 pop ecx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DE0B3 second address: 3DE0BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DE0BD second address: 3DE0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DCE24 second address: 3DCE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2FF4BC0FB6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DCE2F second address: 3DCE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DCE35 second address: 3DCE4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2FF4BC0FBBh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DCE4F second address: 3DCE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F2FF4F875F6h 0x00000011 jns 00007F2FF4F875F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DCE66 second address: 3DCE72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007F2FF4BC0FB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD2A3 second address: 3DD2B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD2B1 second address: 3DD2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD2B5 second address: 3DD2BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD5AB second address: 3DD5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2FF4BC0FB6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD5B6 second address: 3DD5C0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2FF4F875FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD9CA second address: 3DD9D7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD9D7 second address: 3DD9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F875FDh 0x00000009 js 00007F2FF4F875F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DDF3A second address: 3DDF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2FF4BC0FB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35FF47 second address: 35FF7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F875FCh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F2FF4F87609h 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35FF7B second address: 35FF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39FC8D second address: 39FCAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87603h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39FCAA second address: 39FCB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F2FF4BC0FB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39FCB8 second address: 39FCE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b clc 0x0000000c lea eax, dword ptr [ebp+1246F995h] 0x00000012 mov dx, bx 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jng 00007F2FF4F875F6h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39FCE5 second address: 38771F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2FF4BC0FB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F2FF4BC0FBFh 0x00000012 call dword ptr [ebp+122D298Eh] 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A012F second address: 203A64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F875FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b mov dl, 82h 0x0000000d push dword ptr [ebp+122D0D01h] 0x00000013 jmp 00007F2FF4F87605h 0x00000018 call dword ptr [ebp+122D2DB9h] 0x0000001e pushad 0x0000001f jng 00007F2FF4F875FCh 0x00000025 mov dword ptr [ebp+122D22C7h], ecx 0x0000002b xor eax, eax 0x0000002d jmp 00007F2FF4F87609h 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 pushad 0x00000037 call 00007F2FF4F87605h 0x0000003c jno 00007F2FF4F875F6h 0x00000042 pop eax 0x00000043 add ebx, dword ptr [ebp+122D3938h] 0x00000049 popad 0x0000004a mov dword ptr [ebp+122D3964h], eax 0x00000050 pushad 0x00000051 push edx 0x00000052 sub dword ptr [ebp+122D22C7h], edi 0x00000058 pop ebx 0x00000059 popad 0x0000005a mov esi, 0000003Ch 0x0000005f mov dword ptr [ebp+122D22C7h], ebx 0x00000065 xor dword ptr [ebp+122D22C7h], ecx 0x0000006b add esi, dword ptr [esp+24h] 0x0000006f pushad 0x00000070 sub ebx, dword ptr [ebp+122D3768h] 0x00000076 mov dword ptr [ebp+122D22C7h], esi 0x0000007c popad 0x0000007d lodsw 0x0000007f sub dword ptr [ebp+122D22C7h], edx 0x00000085 add eax, dword ptr [esp+24h] 0x00000089 mov dword ptr [ebp+122D22C7h], eax 0x0000008f cld 0x00000090 mov ebx, dword ptr [esp+24h] 0x00000094 cmc 0x00000095 push eax 0x00000096 push ecx 0x00000097 pushad 0x00000098 push eax 0x00000099 push edx 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A01B8 second address: 3A01BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A0255 second address: 3A0259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A0259 second address: 3A029A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 add dword ptr [esp], 63719ED7h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F2FF4BC0FB8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 sub dword ptr [ebp+122D2DAEh], eax 0x0000002e push 17502F7Eh 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A029A second address: 3A02A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A03A8 second address: 3A03AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A0CF9 second address: 3A0D07 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A0D07 second address: 3A0D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A0D0B second address: 3A0D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1036 second address: 3A104C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5702 second address: 3E5733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F875FFh 0x00000009 jnp 00007F2FF4F875FAh 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 push edx 0x00000015 jmp 00007F2FF4F875FEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5733 second address: 3E5739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5739 second address: 3E573D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5869 second address: 3E58A2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 je 00007F2FF4BC0FB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007F2FF4BC0FC2h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 jg 00007F2FF4BC0FC2h 0x0000001b pushad 0x0000001c push eax 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E59FC second address: 3E5A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5A02 second address: 3E5A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2FF4BC0FC8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5DD9 second address: 3E5DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5DE1 second address: 3E5DF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBAh 0x00000007 jnl 00007F2FF4BC0FB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5DF9 second address: 3E5DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5DFD second address: 3E5E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC525 second address: 3EC52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC52B second address: 3EC54E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2FF4BC0FC9h 0x00000009 jns 00007F2FF4BC0FB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC697 second address: 3EC6BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87606h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F2FF4F875F8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC9FD second address: 3ECA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3ECA02 second address: 3ECA15 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2FF4F875FEh 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EEB52 second address: 3EEB56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EEB56 second address: 3EEB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EEB60 second address: 3EEB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F2FF4BC0FB6h 0x0000000a jmp 00007F2FF4BC0FC7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EEB81 second address: 3EEBA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F875FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F2FF4F875F6h 0x00000011 jmp 00007F2FF4F875FCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EEBA8 second address: 3EEBAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EED16 second address: 3EED2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2FF4F87600h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EED2C second address: 3EED3A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EED3A second address: 3EED4E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F2FF4F875FCh 0x0000000e jno 00007F2FF4F875F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EED4E second address: 3EED6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2FF4BC0FC7h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EED6B second address: 3EED77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EED77 second address: 3EED7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F2F65 second address: 3F2F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F2F6D second address: 3F2F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F2F7A second address: 3F2F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F320C second address: 3F3210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F3210 second address: 3F323C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2FF4F87607h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F65A0 second address: 3F65C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2FF4BC0FC7h 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F65C6 second address: 3F65D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2FF4F875F6h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F65D4 second address: 3F65DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F5DD6 second address: 3F5E0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87602h 0x00000007 pushad 0x00000008 jmp 00007F2FF4F875FDh 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F2FF4F875F6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F5E0A second address: 3F5E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F5E0E second address: 3F5E1C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2FF4F875F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F5E1C second address: 3F5E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F5FC7 second address: 3F5FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F5FCB second address: 3F5FF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F2FF4BC0FD2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB21C second address: 3FB222 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB222 second address: 3FB233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F2FF4BC0FB6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB233 second address: 3FB238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB238 second address: 3FB23D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB506 second address: 3FB51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 jmp 00007F2FF4F875FDh 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB51E second address: 3FB53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4BC0FC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB53A second address: 3FB540 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FBA5A second address: 3FBA8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F2FF4BC0FC0h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F2FF4BC0FB6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FBA8F second address: 3FBA95 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FC428 second address: 3FC439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4BC0FBBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FC439 second address: 3FC43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FC43E second address: 3FC443 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35C9F5 second address: 35C9F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 402CB4 second address: 402CC4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F2FF4BC0FDFh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 402CC4 second address: 402CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 402CCA second address: 402CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 402E13 second address: 402E17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 402E17 second address: 402E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4043A1 second address: 4043A7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4043A7 second address: 4043AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4043AC second address: 4043CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F87608h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4043CA second address: 4043DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2FF4BC0FBDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4046E4 second address: 4046F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F875FBh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4046F4 second address: 4046FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4094A9 second address: 4094AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4094AD second address: 4094B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4085CE second address: 408639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2FF4F87609h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F2FF4F875F8h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 pushad 0x00000015 jmp 00007F2FF4F87604h 0x0000001a jmp 00007F2FF4F87607h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F2FF4F875FFh 0x00000026 jo 00007F2FF4F875F6h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 408D53 second address: 408D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4BC0FBFh 0x00000009 jl 00007F2FF4BC0FBAh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 408F07 second address: 408F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F87608h 0x00000009 jmp 00007F2FF4F87603h 0x0000000e popad 0x0000000f pop edx 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409073 second address: 40907C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40907C second address: 40909F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F87607h 0x00000009 popad 0x0000000a pop ebx 0x0000000b push edi 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 417D04 second address: 417D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41614C second address: 41616C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F2FF4F87605h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41657E second address: 416583 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 416583 second address: 416592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jbe 00007F2FF4F875FEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 416D79 second address: 416D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2FF4BC0FB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 416D83 second address: 416D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41EC31 second address: 41EC4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC3h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41EC4C second address: 41EC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41EC50 second address: 41EC6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FBDh 0x00000007 jne 00007F2FF4BC0FB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41EC6F second address: 41EC75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41EC75 second address: 41EC8E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2FF4BC0FBBh 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d jbe 00007F2FF4BC0FB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41E91C second address: 41E920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41E920 second address: 41E93C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2FF4BC0FBEh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41E93C second address: 41E955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F87604h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41E955 second address: 41E970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2FF4BC0FC5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41E970 second address: 41E974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43EBE5 second address: 43EBE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43EBE9 second address: 43EC1F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2FF4F875F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F2FF4F87601h 0x00000010 jmp 00007F2FF4F875FBh 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F2FF4F87607h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43EC1F second address: 43EC44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2FF4BC0FC0h 0x0000000c jmp 00007F2FF4BC0FBAh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 441388 second address: 44138C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44138C second address: 4413B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2FF4BC0FC7h 0x0000000b pop edi 0x0000000c jbe 00007F2FF4BC0FD9h 0x00000012 pushad 0x00000013 jl 00007F2FF4BC0FB6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 443B36 second address: 443B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2FF4F875F6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44BA84 second address: 44BA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44BD5B second address: 44BD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 jmp 00007F2FF4F875FAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44C3DD second address: 44C3E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F2FF4BC0FB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44C3E7 second address: 44C417 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F875FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F2FF4F87606h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44CDFE second address: 44CE2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC0h 0x00000007 jmp 00007F2FF4BC0FC8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44CE2F second address: 44CE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F87609h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45066E second address: 450672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45FDC6 second address: 45FDCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45FDCA second address: 45FDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45FDD0 second address: 45FDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007F2FF4F875FCh 0x0000000d jns 00007F2FF4F875FEh 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45FDF5 second address: 45FE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2FF4BC0FB6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F2FF4BC0FB6h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45FE0A second address: 45FE0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46BEFD second address: 46BF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46BF06 second address: 46BF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4857E7 second address: 48580E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2FF4BC0FBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2FF4BC0FC5h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48498C second address: 4849A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2FF4F875F6h 0x0000000a jmp 00007F2FF4F87601h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4849A7 second address: 4849BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F2FF4BC0FB6h 0x0000000f jp 00007F2FF4BC0FB6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4850A0 second address: 4850A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4850A5 second address: 4850AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 485384 second address: 485389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 485389 second address: 485393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F2FF4BC0FB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486D88 second address: 486D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jng 00007F2FF4F875F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48836F second address: 488377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 488377 second address: 48837C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48837C second address: 4883A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 ja 00007F2FF4BC0FCDh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4883A8 second address: 4883CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F87608h 0x00000009 jo 00007F2FF4F875F6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4883CD second address: 4883D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48ACC0 second address: 48ACC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48ACC9 second address: 48ACCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48B018 second address: 48B033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F2FF4F875FAh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48B2BA second address: 48B2FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007F2FF4BC0FB6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jnp 00007F2FF4BC0FB9h 0x00000013 movzx edx, ax 0x00000016 push dword ptr [ebp+12440002h] 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F2FF4BC0FB8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov edx, ecx 0x00000038 push 28A2FB69h 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48B2FF second address: 48B30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2FF4F875FBh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48CB1B second address: 48CB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F2FF4BC0FB6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48CB28 second address: 48CB59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F2FF4F87601h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F2FF4F875FAh 0x00000018 jng 00007F2FF4F875FCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C669 second address: 48C66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C66F second address: 48C676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C676 second address: 48C686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F2FF4BC0FBAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F0001F second address: 4F0005B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ebx, 71729D4Eh 0x00000017 call 00007F2FF4F875FFh 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F0005B second address: 4F0007D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4BC0FC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F0007D second address: 4F0009A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F0009A second address: 4F000AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2FF4BC0FBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F000AA second address: 4F000AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F000AE second address: 4F000C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F2FF4BC0FE5h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edx, eax 0x00000013 mov ax, 322Bh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F000C6 second address: 4F000F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2FF4F87601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add eax, ecx 0x0000000b jmp 00007F2FF4F875FEh 0x00000010 mov eax, dword ptr [eax+00000860h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b mov ecx, edi 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F000F9 second address: 4F00131 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test eax, eax 0x0000000c jmp 00007F2FF4BC0FBAh 0x00000011 je 00007F30658B7C06h 0x00000017 jmp 00007F2FF4BC0FC0h 0x0000001c test byte ptr [eax+04h], 00000005h 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 mov edi, 677CDD8Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A4268 second address: 3A426C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 203AA8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3964FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 203A1A instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5284 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3844 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1813461032.0000000000378000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.1813197895.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816020866.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812736354.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWRL
Source: file.exe, 00000000.00000002.1813461032.0000000000378000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $qEmu
Source: file.exe, 00000000.00000003.1812736354.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1813197895.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1814606395.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1816020866.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1813461032.0000000000378000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E5BB0 LdrInitializeThunk, 0_2_001E5BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: spirittunek.stor
Source: file.exe String found in binary or memory: bathdoomgaz.stor
Source: file.exe String found in binary or memory: studennotediw.stor
Source: file.exe String found in binary or memory: dissapoiznw.stor
Source: file.exe String found in binary or memory: eaglepawnoy.stor
Source: file.exe String found in binary or memory: mobbipenju.stor
Source: file.exe, file.exe, 00000000.00000002.1813461032.0000000000378000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VProgram Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526564 Sample: file.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 10 sensatinwu.buzz 2->10 12 licendfilteo.site 2->12 14 8 other IPs or domains 2->14 20 Multi AV Scanner detection for domain / URL 2->20 22 Suricata IDS alerts for network traffic 2->22 24 Found malware configuration 2->24 26 9 other signatures 2->26 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 sensatinwu.buzz 188.114.96.3, 443, 49731 CLOUDFLARENETUS European Union 6->16 18 steamcommunity.com 104.102.49.254, 443, 49730 AKAMAI-ASUS United States 6->18 28 Detected unpacking (changes PE section rights) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 Tries to evade debugger and weak emulator (self modifying code) 6->32 34 4 other signatures 6->34 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 sensatinwu.buzz European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
sensatinwu.buzz 188.114.96.3 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
studennotediw.stor true
    		unknown
    mobbipenju.stor true
      		unknown
      https://steamcommunity.com/profiles/76561199724331900 true
      • URL Reputation: malware
      		 unknown
      bathdoomgaz.stor true
        		unknown
        dissapoiznw.stor true
          		unknown
          spirittunek.stor true
            		unknown
            eaglepawnoy.stor true
              		unknown
              clearancek.site true
                		unknown
                licendfilteo.site true
                  		unknown
                  https://sensatinwu.buzz/api true
                    		unknown