Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1526972
MD5: 30da1d41d3aef9c33749c840ae2343b8
SHA1: 76257e255e89334abfeeb8afe10d5adecbbd91c4
SHA256: c24402c282bbbf1c45d3778beb440d39d4980179e8a923911949875f12d51dba
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges URL Reputation: Label: malware
Found malware configuration
Source: file.exe.5748.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.stor", "clearancek.site", "eaglepawnoy.stor", "mobbipenju.stor", "spirittunek.stor", "licendfilteo.site", "studennotediw.stor", "bathdoomgaz.stor"], "Build id": "4SD0y4--legendaryy"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.stor
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.stor
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.stor
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.stor
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1310246800.00000000000F1000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.7:49701 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001350FA
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_000FD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_000FD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_001363B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00135700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_0013695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_001399D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_000FFCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00100EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_000F1000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_0012F030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00106F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00134040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00136094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_0011D1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00112260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_00112260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_001042FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_000FA300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001223E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001223E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001223E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_001223E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001223E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_001223E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_0010B410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0011E40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0010D457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_00131440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_0011C470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_001364B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00119510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00106536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_00137520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 0_2_000F8590
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_0012B650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0011E66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_00137710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0011D7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_001367EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_001128E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_00133920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_0010D961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_000F49A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00101A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00134A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_000F5A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00101ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00139B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_0010DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_0010DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00120B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00103BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00101BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00117C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_0012FC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_0011EC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_0011AC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_0011AC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_0011CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0011CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_0011CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00139CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_00139CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_0011FD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0011DD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00138D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_00104E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_0011AE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00115E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00117E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00101E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_000F6EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_00106EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_000FBEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0012FF70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00119F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00106F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00135FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_0010FFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_00137FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00137FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_000F8FD0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:50461 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:50605 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:60401 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:60969 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:63384 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:50490 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:51073 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:60295 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49701 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: dissapoiznw.stor
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: eaglepawnoy.stor
Source: Malware configuration extractor URLs: mobbipenju.stor
Source: Malware configuration extractor URLs: spirittunek.stor
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: studennotediw.stor
Source: Malware configuration extractor URLs: bathdoomgaz.stor
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 172.67.206.204 172.67.206.204
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: / https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1309102302.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1309102302.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tvD equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.1311410801.00000000013CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaigB equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.1311410801.00000000013CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaigB equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000002.1311652132.00000000013E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.1309102302.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/G9
Source: file.exe, 00000000.00000003.1309102302.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311652132.00000000013E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.1309102302.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apih
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1309102302.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv
Source: file.exe, 00000000.00000002.1311410801.00000000013CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1309102302.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tvD
Source: file.exe, 00000000.00000002.1311410801.00000000013CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaigB
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000002.1311410801.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1309204959.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308929689.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1308335259.0000000001455000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1296959107.0000000001449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000002.1311871531.0000000001413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.7:49701 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00100228 0_2_00100228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F1000 0_2_000F1000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00102030 0_2_00102030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00134040 0_2_00134040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013A0D0 0_2_0013A0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F5160 0_2_000F5160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FE1A0 0_2_000FE1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F71F0 0_2_000F71F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A 0_2_002CB26A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001282D0 0_2_001282D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001212D0 0_2_001212D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003352FE 0_2_003352FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F12F7 0_2_000F12F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FA300 0_2_000FA300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002A2309 0_2_002A2309
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003913BC 0_2_003913BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F13A3 0_2_000F13A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FB3A0 0_2_000FB3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001223E0 0_2_001223E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011C470 0_2_0011C470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0010049B 0_2_0010049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00104487 0_2_00104487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001264F0 0_2_001264F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002C14DD 0_2_002C14DD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F8590 0_2_000F8590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F35B0 0_2_000F35B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0010C5F0 0_2_0010C5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012F620 0_2_0012F620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F164F 0_2_000F164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00138652 0_2_00138652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001386F0 0_2_001386F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0028F72B 0_2_0028F72B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002C97BA 0_2_002C97BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002137D2 0_2_002137D2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FA850 0_2_000FA850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00121860 0_2_00121860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002BA8A1 0_2_002BA8A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012E8A0 0_2_0012E8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012B8C0 0_2_0012B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002AD8CE 0_2_002AD8CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011098B 0_2_0011098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001389A0 0_2_001389A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002AF9CC 0_2_002AF9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002C4A23 0_2_002C4A23
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00134A40 0_2_00134A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00138A80 0_2_00138A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00137AB0 0_2_00137AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E2B4E 0_2_001E2B4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00208B4A 0_2_00208B4A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0010DB6F 0_2_0010DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F7BF0 0_2_000F7BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00138C02 0_2_00138C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00136CBF 0_2_00136CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011CCD0 0_2_0011CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011FD10 0_2_0011FD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002C7D31 0_2_002C7D31
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011DD29 0_2_0011DD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0024DD60 0_2_0024DD60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00118D62 0_2_00118D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0020ED9D 0_2_0020ED9D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00104E2A 0_2_00104E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011AE57 0_2_0011AE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00138E70 0_2_00138E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002BDE5E 0_2_002BDE5E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002A4E83 0_2_002A4E83
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00106EBF 0_2_00106EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FBEB0 0_2_000FBEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00223EEC 0_2_00223EEC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FAF10 0_2_000FAF10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013EF53 0_2_0013EF53
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001ABF60 0_2_001ABF60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002FDFAF 0_2_002FDFAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002C2FB6 0_2_002C2FB6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00137FC0 0_2_00137FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F8FD0 0_2_000F8FD0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000FCAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0010D300 appears 152 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9996067966171617
Source: file.exe Static PE information: Section: wwrljzle ZLIB complexity 0.9941454430696886
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@10/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00128220 CoCreateInstance, 0_2_00128220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 1830400 > 1048576
Source: file.exe Static PE information: Raw size of wwrljzle is bigger than: 0x100000 < 0x195600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wwrljzle:EW;uvlyxxks:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wwrljzle:EW;uvlyxxks:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1ce1c2 should be: 0x1c59f8
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: wwrljzle
Source: file.exe Static PE information: section name: uvlyxxks
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0033A025 push 76E1B9FAh; mov dword ptr [esp], eax 0_2_0033A089
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00389014 push eax; mov dword ptr [esp], edi 0_2_00389205
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0031F004 push edi; mov dword ptr [esp], edx 0_2_0031F38B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00374069 push 0D1EB938h; mov dword ptr [esp], esp 0_2_0037408D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C20AF push 684929E1h; mov dword ptr [esp], ecx 0_2_003C2189
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002DF096 push ecx; mov dword ptr [esp], eax 0_2_002E1133
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CF1B8 push ebp; mov dword ptr [esp], ebx 0_2_002CF1F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002DD1E9 push ebx; mov dword ptr [esp], 5B667617h 0_2_002DD215
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001561D2 push eax; mov dword ptr [esp], ecx 0_2_00157E62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B122F push edi; mov dword ptr [esp], ebx 0_2_003B1246
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002FE230 push edx; mov dword ptr [esp], 4068A2D8h 0_2_002FE25F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 1E14D63Eh; mov dword ptr [esp], edx 0_2_002CB272
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 68D9E916h; mov dword ptr [esp], ebx 0_2_002CB2F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push esi; mov dword ptr [esp], esp 0_2_002CB30A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push edi; mov dword ptr [esp], esi 0_2_002CB324
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push edi; mov dword ptr [esp], ebx 0_2_002CB389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push edi; mov dword ptr [esp], edx 0_2_002CB3AE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 4C3B281Eh; mov dword ptr [esp], esp 0_2_002CB40B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push edx; mov dword ptr [esp], esi 0_2_002CB40F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push ebx; mov dword ptr [esp], edi 0_2_002CB4BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 50400CC9h; mov dword ptr [esp], ebx 0_2_002CB55B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 5214FCBEh; mov dword ptr [esp], edx 0_2_002CB5F3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push eax; mov dword ptr [esp], esp 0_2_002CB5F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push ecx; mov dword ptr [esp], 47FBDF80h 0_2_002CB635
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push eax; mov dword ptr [esp], edx 0_2_002CB63E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 36C6A083h; mov dword ptr [esp], edi 0_2_002CB68D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 31DFD9D1h; mov dword ptr [esp], ebp 0_2_002CB6C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 49F91773h; mov dword ptr [esp], edi 0_2_002CB757
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 74933F97h; mov dword ptr [esp], esp 0_2_002CB76C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push ecx; mov dword ptr [esp], ebp 0_2_002CB7BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002CB26A push 27D43719h; mov dword ptr [esp], ebx 0_2_002CB7D9
Source: file.exe Static PE information: section name: entropy: 7.984430674001358
Source: file.exe Static PE information: section name: wwrljzle entropy: 7.95266308333564

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 154162 second address: 154166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 154166 second address: 15416C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 15416C second address: 1539EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor dword ptr [ebp+122D2018h], edx 0x00000012 pushad 0x00000013 mov eax, dword ptr [ebp+122D36C2h] 0x00000019 or eax, dword ptr [ebp+122D38F6h] 0x0000001f popad 0x00000020 push dword ptr [ebp+122D1531h] 0x00000026 pushad 0x00000027 adc edx, 5FBB9F0Dh 0x0000002d mov edx, 2EDF008Ah 0x00000032 popad 0x00000033 call dword ptr [ebp+122D1B66h] 0x00000039 pushad 0x0000003a pushad 0x0000003b pushad 0x0000003c jng 00007F65504F5A46h 0x00000042 mov bx, cx 0x00000045 popad 0x00000046 popad 0x00000047 xor eax, eax 0x00000049 mov dword ptr [ebp+122D211Dh], edx 0x0000004f mov edx, dword ptr [esp+28h] 0x00000053 jo 00007F65504F5A4Ch 0x00000059 or dword ptr [ebp+122D2032h], eax 0x0000005f mov dword ptr [ebp+122D35BAh], eax 0x00000065 stc 0x00000066 mov esi, 0000003Ch 0x0000006b jmp 00007F65504F5A50h 0x00000070 mov dword ptr [ebp+122D203Eh], edx 0x00000076 add esi, dword ptr [esp+24h] 0x0000007a jns 00007F65504F5A4Ch 0x00000080 lodsw 0x00000082 sub dword ptr [ebp+122D2032h], edi 0x00000088 add eax, dword ptr [esp+24h] 0x0000008c xor dword ptr [ebp+122D203Eh], ecx 0x00000092 mov ebx, dword ptr [esp+24h] 0x00000096 mov dword ptr [ebp+122D203Eh], edx 0x0000009c mov dword ptr [ebp+122D211Dh], edx 0x000000a2 push eax 0x000000a3 push ecx 0x000000a4 push eax 0x000000a5 push edx 0x000000a6 pushad 0x000000a7 popad 0x000000a8 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BBF83 second address: 2BBF9D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push esi 0x0000000c pushad 0x0000000d jmp 00007F655118F74Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BBF9D second address: 2BBFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CEDFF second address: 2CEE09 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F655118F74Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CEF8A second address: 2CEF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F65504F5A46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CEF95 second address: 2CEFA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F655118F746h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF586 second address: 2CF58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF58A second address: 2CF58E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF58E second address: 2CF59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF6CD second address: 2CF6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF6D3 second address: 2CF6D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D32DB second address: 2D32E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D32E0 second address: 2D32E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D32E6 second address: 2D332E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jbe 00007F655118F750h 0x0000000f jmp 00007F655118F74Ah 0x00000014 pop edi 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jmp 00007F655118F752h 0x0000001f jns 00007F655118F748h 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F655118F74Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D332E second address: 2D3333 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3333 second address: 2D3343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3343 second address: 2D3347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3347 second address: 2D3365 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F655118F752h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3365 second address: 2D3369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3369 second address: 1539EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 sbb cl, FFFFFFCFh 0x0000000b je 00007F655118F749h 0x00000011 movsx edx, cx 0x00000014 push dword ptr [ebp+122D1531h] 0x0000001a jmp 00007F655118F750h 0x0000001f call dword ptr [ebp+122D1B66h] 0x00000025 pushad 0x00000026 pushad 0x00000027 pushad 0x00000028 jng 00007F655118F746h 0x0000002e mov bx, cx 0x00000031 popad 0x00000032 popad 0x00000033 xor eax, eax 0x00000035 mov dword ptr [ebp+122D211Dh], edx 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f jo 00007F655118F74Ch 0x00000045 or dword ptr [ebp+122D2032h], eax 0x0000004b mov dword ptr [ebp+122D35BAh], eax 0x00000051 stc 0x00000052 mov esi, 0000003Ch 0x00000057 jmp 00007F655118F750h 0x0000005c mov dword ptr [ebp+122D203Eh], edx 0x00000062 add esi, dword ptr [esp+24h] 0x00000066 jns 00007F655118F74Ch 0x0000006c lodsw 0x0000006e sub dword ptr [ebp+122D2032h], edi 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 xor dword ptr [ebp+122D203Eh], ecx 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D203Eh], edx 0x00000088 mov dword ptr [ebp+122D211Dh], edx 0x0000008e push eax 0x0000008f push ecx 0x00000090 push eax 0x00000091 push edx 0x00000092 pushad 0x00000093 popad 0x00000094 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D34C1 second address: 2D351E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F65504F5A4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jne 00007F65504F5A48h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jp 00007F65504F5A46h 0x0000001c popad 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push edi 0x00000023 pushad 0x00000024 jnc 00007F65504F5A46h 0x0000002a jo 00007F65504F5A46h 0x00000030 popad 0x00000031 pop edi 0x00000032 pop eax 0x00000033 add edi, dword ptr [ebp+122D2BCFh] 0x00000039 lea ebx, dword ptr [ebp+1245322Bh] 0x0000003f mov esi, dword ptr [ebp+122D377Eh] 0x00000045 pushad 0x00000046 mov dword ptr [ebp+122D1F60h], edi 0x0000004c mov edx, esi 0x0000004e popad 0x0000004f push eax 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D35FE second address: 2D3693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push esi 0x0000000a jmp 00007F655118F758h 0x0000000f pop esi 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007F655118F756h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jmp 00007F655118F752h 0x00000020 pop eax 0x00000021 push 00000003h 0x00000023 mov dword ptr [ebp+122D1F0Ah], edx 0x00000029 mov cx, F4DCh 0x0000002d push 00000000h 0x0000002f sbb dl, 00000055h 0x00000032 push 00000003h 0x00000034 call 00007F655118F755h 0x00000039 call 00007F655118F74Ah 0x0000003e mov dword ptr [ebp+122D202Eh], ecx 0x00000044 pop ecx 0x00000045 pop esi 0x00000046 push 8E2C18F2h 0x0000004b push edx 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D371E second address: 2D3723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3723 second address: 2D376D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F752h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add di, 524Fh 0x00000011 push 00000000h 0x00000013 mov esi, 180DD2D6h 0x00000018 call 00007F655118F749h 0x0000001d jmp 00007F655118F74Bh 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F655118F74Dh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D376D second address: 2D37C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F65504F5A4Ch 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F65504F5A4Fh 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007F65504F5A53h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jnc 00007F65504F5A48h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D37C8 second address: 2D37CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D37CF second address: 2D3856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 add dword ptr [ebp+122D1EEDh], edx 0x0000000e push 00000003h 0x00000010 mov ecx, 13E859BDh 0x00000015 jp 00007F65504F5A4Ch 0x0000001b mov dword ptr [ebp+122D2BC3h], esi 0x00000021 push 00000000h 0x00000023 je 00007F65504F5A46h 0x00000029 push 00000003h 0x0000002b mov dword ptr [ebp+122D1A7Dh], ebx 0x00000031 call 00007F65504F5A49h 0x00000036 jmp 00007F65504F5A50h 0x0000003b push eax 0x0000003c jmp 00007F65504F5A54h 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 push ecx 0x00000046 jc 00007F65504F5A52h 0x0000004c jmp 00007F65504F5A4Ch 0x00000051 pop ecx 0x00000052 mov eax, dword ptr [eax] 0x00000054 je 00007F65504F5A58h 0x0000005a push eax 0x0000005b push edx 0x0000005c jno 00007F65504F5A46h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3856 second address: 2D3868 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3868 second address: 2D386E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D386E second address: 2D38B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pop eax 0x00000007 mov edi, dword ptr [ebp+122D35BAh] 0x0000000d jns 00007F655118F74Eh 0x00000013 lea ebx, dword ptr [ebp+1245323Fh] 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F655118F748h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 or ecx, dword ptr [ebp+122D2986h] 0x00000039 push eax 0x0000003a pushad 0x0000003b pushad 0x0000003c push ecx 0x0000003d pop ecx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E53F9 second address: 2E540D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BA385 second address: 2BA396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F74Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BA396 second address: 2BA3A0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F65504F5A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BA3A0 second address: 2BA3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007F655118F746h 0x00000013 jmp 00007F655118F753h 0x00000018 popad 0x00000019 jmp 00007F655118F759h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BA3E0 second address: 2BA3EA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65504F5A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F186F second address: 2F187A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F655118F746h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F187A second address: 2F18A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F65504F5A5Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1A3E second address: 2F1A4C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1BB3 second address: 2F1BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65504F5A4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1BC2 second address: 2F1BC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2285 second address: 2F228B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F228B second address: 2F228F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2414 second address: 2F2418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2418 second address: 2F2422 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2422 second address: 2F2426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2426 second address: 2F246D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F752h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F655118F757h 0x00000016 popad 0x00000017 jmp 00007F655118F751h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F246D second address: 2F2472 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F25DB second address: 2F25E9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F25E9 second address: 2F25F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F65504F5A46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2BC2 second address: 2F2BD2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F655118F746h 0x00000008 jns 00007F655118F746h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2BD2 second address: 2F2BE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F65504F5A4Ch 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2BE8 second address: 2F2BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F3060 second address: 2F306B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F65504F5A46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F6922 second address: 2F692C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FA23D second address: 2FA247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F65504F5A46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FEAEE second address: 2FEAF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FDEDF second address: 2FDEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FDEEB second address: 2FDEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FE0A8 second address: 2FE0BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65504F5A50h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FE0BC second address: 2FE0D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F74Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FE0D3 second address: 2FE0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65504F5A54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FE0EB second address: 2FE11D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F655118F74Dh 0x00000011 pushad 0x00000012 jmp 00007F655118F755h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30096F second address: 300975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300975 second address: 300979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300979 second address: 3009A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 44BAC270h 0x0000000f mov dword ptr [ebp+122D2090h], ebx 0x00000015 add esi, 0B7C6623h 0x0000001b call 00007F65504F5A49h 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jo 00007F65504F5A46h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3009A6 second address: 300A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F757h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c jne 00007F655118F756h 0x00000012 pop eax 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F655118F74Bh 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F655118F759h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300A08 second address: 300A2D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65504F5A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F65504F5A4Ch 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push ebx 0x00000016 pushad 0x00000017 js 00007F65504F5A46h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3015CA second address: 30161B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], ebx 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F655118F748h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 cmc 0x00000024 or dword ptr [ebp+122D29E7h], ecx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jmp 00007F655118F74Fh 0x00000033 jmp 00007F655118F74Dh 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30161B second address: 301620 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3020B9 second address: 3020BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3020BF second address: 302116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F65504F5A58h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F65504F5A57h 0x00000014 pop edx 0x00000015 nop 0x00000016 mov dword ptr [ebp+122D2324h], edx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 jc 00007F65504F5A4Ch 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 302B40 second address: 302B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+122D2BBDh] 0x0000000f push 00000000h 0x00000011 jmp 00007F655118F74Eh 0x00000016 push 00000000h 0x00000018 pushad 0x00000019 push eax 0x0000001a mov dword ptr [ebp+122D1BB4h], esi 0x00000020 pop ecx 0x00000021 jg 00007F655118F74Ch 0x00000027 xor edi, dword ptr [ebp+122D36DAh] 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F655118F74Dh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 302B87 second address: 302B9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65504F5A52h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 303DBE second address: 303DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3048A1 second address: 3048A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3048A5 second address: 3048A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3048A9 second address: 3048AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 305CDC second address: 305CE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 305CE0 second address: 305D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov di, 7993h 0x0000000e push 00000000h 0x00000010 call 00007F65504F5A57h 0x00000015 mov edi, dword ptr [ebp+122D2A12h] 0x0000001b pop esi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F65504F5A48h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 stc 0x00000039 or di, 9200h 0x0000003e xchg eax, ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 je 00007F65504F5A52h 0x00000047 jmp 00007F65504F5A4Ch 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 305D4B second address: 305D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F655118F74Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F655118F759h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 305D80 second address: 305D9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30666B second address: 30666F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30666F second address: 306675 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AF88 second address: 30AF8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 306F6C second address: 306F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 307A30 second address: 307A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A018 second address: 30A08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+12474393h], edi 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push esi 0x00000016 xor dword ptr [ebp+122D1856h], edx 0x0000001c pop edi 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007F65504F5A48h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e jnp 00007F65504F5A4Ch 0x00000044 mov dword ptr [ebp+122D193Ah], ecx 0x0000004a mov eax, dword ptr [ebp+122D0661h] 0x00000050 or di, 39A8h 0x00000055 push FFFFFFFFh 0x00000057 push edx 0x00000058 jp 00007F65504F5A48h 0x0000005e mov bl, ch 0x00000060 pop edi 0x00000061 nop 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30B1AC second address: 30B1B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A08F second address: 30A093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30C28F second address: 30C293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30B2A0 second address: 30B2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F10F second address: 30F11C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F655118F746h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F11C second address: 30F14C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A51h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65504F5A51h 0x0000000e jmp 00007F65504F5A4Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30C293 second address: 30C31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push edi 0x00000009 mov di, si 0x0000000c pop ebx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F655118F748h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e or di, D371h 0x00000033 mov ebx, 4BFBAC00h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov eax, dword ptr [ebp+122D03D9h] 0x00000045 mov ebx, dword ptr [ebp+122D377Ah] 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push ebx 0x00000050 call 00007F655118F748h 0x00000055 pop ebx 0x00000056 mov dword ptr [esp+04h], ebx 0x0000005a add dword ptr [esp+04h], 00000015h 0x00000062 inc ebx 0x00000063 push ebx 0x00000064 ret 0x00000065 pop ebx 0x00000066 ret 0x00000067 jne 00007F655118F74Ch 0x0000006d mov edi, dword ptr [ebp+122D35D6h] 0x00000073 push eax 0x00000074 push edi 0x00000075 push ecx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30B2A4 second address: 30B2AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F14C second address: 30F152 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F152 second address: 30F16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jnp 00007F65504F5A4Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C5F10 second address: 2C5F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F7D7 second address: 30F7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 and ebx, dword ptr [ebp+12463D37h] 0x0000000e push 00000000h 0x00000010 xor ebx, dword ptr [ebp+122D32F4h] 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+1245A792h], edx 0x0000001e xchg eax, esi 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F7FB second address: 30F7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F7FF second address: 30F803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 311943 second address: 3119A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F655118F75Bh 0x00000008 jmp 00007F655118F755h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 or dword ptr [ebp+122D2D08h], eax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F655118F748h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 pushad 0x00000035 mov si, CCAFh 0x00000039 popad 0x0000003a push eax 0x0000003b js 00007F655118F754h 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3119A2 second address: 3119A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3109FD second address: 310A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 310A01 second address: 310A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 314B24 second address: 314B2E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 314B2E second address: 314BA2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F65504F5A48h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 jmp 00007F65504F5A55h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F65504F5A48h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 push 00000000h 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jl 00007F65504F5A48h 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 314BA2 second address: 314BC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F755h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F655118F748h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 314BC6 second address: 314BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 312C51 second address: 312C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 312C5A second address: 312C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 315D2B second address: 315D3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F74Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 315D3B second address: 315D40 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316D40 second address: 316D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316D44 second address: 316D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 314DDD second address: 314DF0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F655118F746h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 315E7C second address: 315E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 318D9E second address: 318DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 317F97 second address: 317FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 js 00007F65504F5A46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 317FA5 second address: 317FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F655118F74Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31901C second address: 319053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F65504F5A58h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65504F5A54h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31B153 second address: 31B158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 321F4D second address: 321F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 321F53 second address: 321F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F655118F759h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 321F74 second address: 321F9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65504F5A4Eh 0x0000000d jmp 00007F65504F5A53h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 322100 second address: 322104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 322104 second address: 32210D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32210D second address: 322113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 322113 second address: 322127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jnc 00007F65504F5A46h 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 322127 second address: 32213F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F655118F752h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32213F second address: 322143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 322143 second address: 322165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F755h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F655118F746h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3223B3 second address: 3223B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3223B9 second address: 3223BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C92E8 second address: 2C9303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F65504F5A54h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 327618 second address: 327630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007F655118F746h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 327630 second address: 32764F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F65504F5A46h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32EB17 second address: 32EB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F655118F746h 0x0000000a popad 0x0000000b js 00007F655118F748h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F655118F74Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CADA7 second address: 2CADAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CADAD second address: 2CADB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CADB1 second address: 2CADBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CADBB second address: 2CADC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CADC1 second address: 2CADCB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65504F5A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32DEE4 second address: 32DEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32DEE8 second address: 32DEEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32E479 second address: 32E480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32E480 second address: 32E48C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F65504F5A46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32E48C second address: 32E490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32E490 second address: 32E49A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65504F5A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32E49A second address: 32E4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F655118F748h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jbe 00007F655118F746h 0x0000001b pop edi 0x0000001c pushad 0x0000001d push esi 0x0000001e pop esi 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 push edi 0x00000022 pop edi 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32E78E second address: 32E794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32E794 second address: 32E7BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F750h 0x00000007 jmp 00007F655118F74Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F655118F74Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32E970 second address: 32E976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 333B0E second address: 333B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F655118F746h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 333B1A second address: 333B2A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F65504F5A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 333B2A second address: 333B2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 333C9C second address: 333CAC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F65504F5A48h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 333CAC second address: 333CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F755h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push esi 0x0000000d jns 00007F655118F746h 0x00000013 pop esi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 333F5E second address: 333F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 333F67 second address: 333F7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F655118F751h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EAC2A second address: 2EAC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EAC2E second address: 2EAC42 instructions: 0x00000000 rdtsc 0x00000002 je 00007F655118F746h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F655118F74Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EAC42 second address: 2EAC60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F65504F5A53h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EAC60 second address: 2EAC64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EAC64 second address: 2EAC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F65504F5A4Ah 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EAC74 second address: 2EAC7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EAC7C second address: 2EAC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 339FB1 second address: 339FC1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F655118F746h 0x00000008 jp 00007F655118F746h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 339FC1 second address: 339FC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 339FC7 second address: 339FD5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F655118F74Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C455B second address: 2C455F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 338D02 second address: 338D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 338D0A second address: 338D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 338FFA second address: 339000 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 339982 second address: 339986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33FA75 second address: 33FA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF56C second address: 2BF583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 je 00007F65504F5A46h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF583 second address: 2BF58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF58B second address: 2BF591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF591 second address: 2BF596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF596 second address: 2BF59C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF59C second address: 2BF5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF5A2 second address: 2BF5A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3410E4 second address: 341101 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F655118F754h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 345177 second address: 34517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34517D second address: 345194 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F655118F746h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FF365 second address: 2FF36F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65504F5A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FF36F second address: 2EA097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov cl, 91h 0x00000009 mov dword ptr [ebp+122D211Dh], eax 0x0000000f call dword ptr [ebp+122D3520h] 0x00000015 push ecx 0x00000016 push eax 0x00000017 jmp 00007F655118F755h 0x0000001c pushad 0x0000001d popad 0x0000001e pop eax 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FF496 second address: 2FF4AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FF4AF second address: 2FF4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FFA1E second address: 2FFA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F65504F5A46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FFB34 second address: 2FFB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FFCD1 second address: 2FFCD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FFCD5 second address: 2FFCE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F655118F746h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FFE61 second address: 2FFED2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e pop ecx 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F65504F5A48h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov cl, bl 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F65504F5A48h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 nop 0x00000049 jmp 00007F65504F5A50h 0x0000004e push eax 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jp 00007F65504F5A46h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3001A6 second address: 3001AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3001AC second address: 30020A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F65504F5A55h 0x00000011 nop 0x00000012 sbb cl, 00000023h 0x00000015 push 0000001Eh 0x00000017 jmp 00007F65504F5A52h 0x0000001c nop 0x0000001d jmp 00007F65504F5A4Ch 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30020A second address: 30021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F655118F74Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3004EB second address: 3004EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3004EF second address: 300504 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300504 second address: 30052A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65504F5A48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jnl 00007F65504F5A4Ah 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007F65504F5A4Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30052A second address: 30052E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30052E second address: 300533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300634 second address: 300638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300638 second address: 2EAC2A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F65504F5A48h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 clc 0x00000022 lea eax, dword ptr [ebp+1247F065h] 0x00000028 push esi 0x00000029 pushad 0x0000002a or dword ptr [ebp+1245A55Bh], edi 0x00000030 call 00007F65504F5A59h 0x00000035 pop esi 0x00000036 popad 0x00000037 pop edi 0x00000038 nop 0x00000039 jmp 00007F65504F5A4Ah 0x0000003e push eax 0x0000003f pushad 0x00000040 jmp 00007F65504F5A58h 0x00000045 pushad 0x00000046 push esi 0x00000047 pop esi 0x00000048 push edi 0x00000049 pop edi 0x0000004a popad 0x0000004b popad 0x0000004c nop 0x0000004d stc 0x0000004e call dword ptr [ebp+122D3222h] 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3447A1 second address: 3447A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3448F4 second address: 344914 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65504F5A56h 0x00000008 jg 00007F65504F5A46h 0x0000000e jmp 00007F65504F5A4Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F65504F5A46h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 344D5C second address: 344D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 344D64 second address: 344D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jng 00007F65504F5A46h 0x0000000e jbe 00007F65504F5A46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 347F6D second address: 347F83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F655118F74Bh 0x00000008 jl 00007F655118F746h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 347AFC second address: 347B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 347B00 second address: 347B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 347B04 second address: 347B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65504F5A52h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F65504F5A46h 0x00000012 jbe 00007F65504F5A46h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 347B2B second address: 347B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F655118F746h 0x0000000c jmp 00007F655118F754h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 347C56 second address: 347C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65504F5A57h 0x00000009 jne 00007F65504F5A46h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34AA08 second address: 34AA1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F655118F74Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 351A3C second address: 351A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A56h 0x00000007 jmp 00007F65504F5A59h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F65504F5A4Eh 0x00000013 pop edi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jp 00007F65504F5A46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 350D6C second address: 350D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 350D70 second address: 350D78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 350D78 second address: 350D7F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35101C second address: 351020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 351020 second address: 351024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 351024 second address: 35102A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35102A second address: 351031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35118D second address: 35119C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F65504F5A46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35119C second address: 3511A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3511A0 second address: 3511A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 356E6B second address: 356E85 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c jnc 00007F655118F748h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35576D second address: 355782 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 355782 second address: 35579B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F655118F74Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 355930 second address: 355936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 355936 second address: 35593A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35593A second address: 355940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 355A8B second address: 355A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 355E2D second address: 355E3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F65504F5A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 355E3C second address: 355E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 355E48 second address: 355E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30003C second address: 300046 instructions: 0x00000000 rdtsc 0x00000002 js 00007F655118F74Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300046 second address: 300051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300051 second address: 30005B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30005B second address: 300085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 nop 0x00000007 jnp 00007F65504F5A4Ch 0x0000000d mov ebx, dword ptr [ebp+1247F0A4h] 0x00000013 mov dl, D3h 0x00000015 add eax, ebx 0x00000017 push edi 0x00000018 mov di, C43Dh 0x0000001c pop edx 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300085 second address: 300089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300089 second address: 30008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30008F second address: 3000C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F74Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b jmp 00007F655118F753h 0x00000010 pop eax 0x00000011 nop 0x00000012 mov ecx, edx 0x00000014 push 00000004h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3560D9 second address: 3560DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3560DE second address: 3560E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3560E3 second address: 3560E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3560E9 second address: 356111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F655118F751h 0x00000009 jmp 00007F655118F74Dh 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3592F4 second address: 359303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65504F5A4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 359303 second address: 359321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F74Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F655118F74Ch 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3595E2 second address: 3595EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3595EE second address: 3595F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35EA75 second address: 35EA7F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65504F5A5Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35EA7F second address: 35EA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F655118F74Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F655118F746h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35ED54 second address: 35ED59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35FEE7 second address: 35FEF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F74Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 364D96 second address: 364D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36409D second address: 3640C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F655118F746h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F655118F755h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3640C0 second address: 3640C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3640C4 second address: 3640C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3644C6 second address: 3644D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 364944 second address: 364948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37109B second address: 3710D2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F65504F5A46h 0x00000008 jmp 00007F65504F5A52h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 push edi 0x00000011 jmp 00007F65504F5A51h 0x00000016 jo 00007F65504F5A52h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3710D2 second address: 3710D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36F931 second address: 36F935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36F935 second address: 36F939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FAA1 second address: 36FAB0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65504F5A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FAB0 second address: 36FABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FABD second address: 36FAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65504F5A53h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65504F5A51h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FAEA second address: 36FAF2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FAF2 second address: 36FAF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FAF7 second address: 36FAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FAFD second address: 36FB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F65504F5A46h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FC6D second address: 36FC7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F74Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FC7F second address: 36FC84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FDCA second address: 36FDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FDD1 second address: 36FDE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65504F5A54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FDE9 second address: 36FDF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F655118F746h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36FDF9 second address: 36FDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 377670 second address: 377674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 377674 second address: 377678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 377678 second address: 377688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007F655118F760h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38627E second address: 386288 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65504F5A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 386288 second address: 38628E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3882BB second address: 3882E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65504F5A55h 0x00000009 jo 00007F65504F5A46h 0x0000000f popad 0x00000010 pushad 0x00000011 ja 00007F65504F5A46h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E19D second address: 38E1A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E1A1 second address: 38E1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E1AC second address: 38E1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E1B0 second address: 38E1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65504F5A59h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F65504F5A46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38E1D9 second address: 38E1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39BE5C second address: 39BE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F65504F5A46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39BE66 second address: 39BE9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F655118F759h 0x00000010 jbe 00007F655118F746h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39BCC1 second address: 39BCD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A4Dh 0x00000007 js 00007F65504F5A52h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39E27B second address: 39E281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39E281 second address: 39E285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3DFE second address: 3A3E1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F74Dh 0x00000007 jng 00007F655118F746h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007F655118F748h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3E1D second address: 3A3E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3E22 second address: 3A3E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3E31 second address: 3A3E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F65504F5A59h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3E52 second address: 3A3E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3FAF second address: 3A3FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3FB8 second address: 3A3FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3FBC second address: 3A3FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3FC4 second address: 3A4002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F655118F755h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jl 00007F655118F746h 0x00000010 jmp 00007F655118F752h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F655118F746h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A4199 second address: 3A419D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A419D second address: 3A41C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ebx 0x00000008 pushad 0x00000009 jmp 00007F655118F758h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A4743 second address: 3A4747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A4747 second address: 3A4766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F655118F755h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A4766 second address: 3A476A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A476A second address: 3A4772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B33F6 second address: 3B3402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B3402 second address: 3B3409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B3409 second address: 3B3414 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007F65504F5A46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C28C5 second address: 3C28D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 ja 00007F655118F746h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C40B9 second address: 3C40BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C40BE second address: 3C40D7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F655118F74Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C40D7 second address: 3C40FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jl 00007F65504F5A46h 0x0000000c jmp 00007F65504F5A59h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C40FD second address: 3C4103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C4103 second address: 3C411C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C411C second address: 3C4120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C2ACF second address: 2C2ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F65504F5A4Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C6A13 second address: 3C6A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C6B7D second address: 3C6B8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F65504F5A46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DF23B second address: 3DF245 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F655118F746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DE1BF second address: 3DE1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DE1C5 second address: 3DE1D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F655118F74Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DE54C second address: 3DE55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 js 00007F65504F5A52h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DE55D second address: 3DE563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DEADD second address: 3DEAE9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F65504F5A4Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DEC46 second address: 3DEC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DEF21 second address: 3DEF4D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65504F5A46h 0x00000008 jmp 00007F65504F5A54h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F65504F5A4Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E074E second address: 3E0752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E3063 second address: 3E306A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E32FC second address: 3E3300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E33B2 second address: 3E33EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F65504F5A48h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 or edx, dword ptr [ebp+1245A600h] 0x00000029 push 00000004h 0x0000002b cld 0x0000002c call 00007F65504F5A49h 0x00000031 push eax 0x00000032 push edx 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 pop edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E4D4C second address: 3E4D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E4D52 second address: 3E4D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E4D56 second address: 3E4D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F655118F74Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E4D69 second address: 3E4D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E4D6D second address: 3E4D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a je 00007F655118F757h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0CD1 second address: 51E0D02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65504F5A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f pushad 0x00000010 mov cl, dh 0x00000012 popad 0x00000013 test ecx, ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F65504F5A4Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0D02 second address: 51E0D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0D06 second address: 51E0D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 303C6F second address: 303C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 153997 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 153A52 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1511D6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 2FF4EF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 37C607 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6020 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6020 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1310394130.00000000002D9000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1311652132.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1309204959.00000000013ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp?
Source: file.exe, 00000000.00000002.1311410801.000000000138E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1311410801.00000000013C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1310394130.00000000002D9000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00135BB0 LdrInitializeThunk, 0_2_00135BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: spirittunek.stor
Source: file.exe String found in binary or memory: bathdoomgaz.stor
Source: file.exe String found in binary or memory: studennotediw.stor
Source: file.exe String found in binary or memory: dissapoiznw.stor
Source: file.exe String found in binary or memory: eaglepawnoy.stor
Source: file.exe String found in binary or memory: mobbipenju.stor
Source: file.exe, file.exe, 00000000.00000002.1310394130.00000000002D9000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: !@Program Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526972 Sample: file.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 10 sergei-esenin.com 2->10 12 licendfilteo.site 2->12 14 8 other IPs or domains 2->14 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 8 other signatures 2->26 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 sergei-esenin.com 172.67.206.204, 443, 49701 CLOUDFLARENETUS United States 6->16 18 steamcommunity.com 104.102.49.254, 443, 49700 AKAMAI-ASUS United States 6->18 28 Detected unpacking (changes PE section rights) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 Tries to evade debugger and weak emulator (self modifying code) 6->32 34 4 other signatures 6->34 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
sergei-esenin.com 172.67.206.204 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
studennotediw.stor true
    		unknown
    mobbipenju.stor true
      		unknown
      https://steamcommunity.com/profiles/76561199724331900 true
      • URL Reputation: malware
      		 unknown
      bathdoomgaz.stor true
        		unknown
        dissapoiznw.stor true
          		unknown
          spirittunek.stor true
            		unknown
            eaglepawnoy.stor true
              		unknown
              clearancek.site true
                		unknown
                licendfilteo.site true
                  		unknown
                  https://sergei-esenin.com/api true
                    		unknown