Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1528660
MD5: cc9f4d3852fc71589b37a660197d11d5
SHA1: 59e8dceb4013812a86eb0bcdc93a047d3625190b
SHA256: 4959ea9b83eb93d47393542fa6bef79b7d81dd272ceb9310f1c6f3e152a06c42
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: file.exe.3208.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "spirittunek.stor", "dissapoiznw.stor", "licendfilteo.site", "bathdoomgaz.stor", "eaglepawnoy.stor", "mobbipenju.stor", "studennotediw.stor"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for domain / URL
Source: sergei-esenin.com Virustotal: Detection: 11% Perma Link
Source: bathdoomgaz.store Virustotal: Detection: 13% Perma Link
Source: licendfilteo.site Virustotal: Detection: 15% Perma Link
Source: clearancek.site Virustotal: Detection: 17% Perma Link
Source: mobbipenju.store Virustotal: Detection: 13% Perma Link
Source: spirittunek.store Virustotal: Detection: 13% Perma Link
Source: eaglepawnoy.store Virustotal: Detection: 17% Perma Link
Source: studennotediw.store Virustotal: Detection: 17% Perma Link
Source: dissapoiznw.store Virustotal: Detection: 13% Perma Link
Source: https://sergei-esenin.com:443/apifiles/76561199724331900 Virustotal: Detection: 9% Perma Link
Source: https://sergei-esenin.com/p Virustotal: Detection: 8% Perma Link
Source: https://sergei-esenin.com/_ Virustotal: Detection: 11% Perma Link
Source: https://sergei-esenin.com/apih Virustotal: Detection: 11% Perma Link
Source: licendfilteo.site Virustotal: Detection: 15% Perma Link
Source: https://sergei-esenin.com/api$ Virustotal: Detection: 11% Perma Link
Source: clearancek.site Virustotal: Detection: 17% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.stor
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.stor
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.stor
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2085396337.0000000000781000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49705 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0078D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0078D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_007C63B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_007C5700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_007C695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_007C99D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_0078FCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00790EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_007C4040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_007BF030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00796F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_00781000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_007C6094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_007AD1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_007A2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_007A2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_007942FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_0078A300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_007B23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_007B23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_007B23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_007B23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_007B23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_007B23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_007AC470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0079D457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_007C1440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_0079B410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_007AE40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_007C64B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00796536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_007C7520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_007A9510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 0_2_00788590
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_007AE66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_007BB650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_007C7710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_007C67EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_007AD7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_007A28E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_0079D961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_007C3920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_007849A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00785A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_007C4A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00791A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00791ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_0079DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_0079DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_007C9B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00791BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00793BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_007B0B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_007AEC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_007BFC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_007A7C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_007C9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_007C9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_007ACCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_007ACCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_007ACCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_007AAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_007AAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_007ADD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_007AFD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_007C8D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_007A5E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_007A7E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_007AAE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_00794E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_00796EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_0078BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_00786EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00791E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_007BFF70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_007A9F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_0079FFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00788FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_007C5FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_007C7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_007C7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00796F91

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:56648 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:59883 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:53226 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:60753 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:65108 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:60733 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:64737 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:63983 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: spirittunek.stor
Source: Malware configuration extractor URLs: dissapoiznw.stor
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: bathdoomgaz.stor
Source: Malware configuration extractor URLs: eaglepawnoy.stor
Source: Malware configuration extractor URLs: mobbipenju.stor
Source: Malware configuration extractor URLs: studennotediw.stor
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 172.67.206.204 172.67.206.204
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=cd3472c77f17062a12faec21; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837x equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086129088.0000000001261000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086129088.0000000001261000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086129088.0000000001261000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086129088.0000000001261000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000002.2085908053.00000000011D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000002.2086073758.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075664185.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2085241301.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/_
Source: file.exe, 00000000.00000002.2086073758.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075664185.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2085241301.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.2086073758.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075664185.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2085241301.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api$
Source: file.exe, 00000000.00000002.2086073758.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075664185.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2085241301.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api?e
Source: file.exe, 00000000.00000003.2085241301.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086073758.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apih
Source: file.exe, 00000000.00000002.2086073758.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075664185.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2085241301.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/g
Source: file.exe, 00000000.00000002.2086073758.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2085241301.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/p
Source: file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apifiles/76561199724331900
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086129088.0000000001261000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086129088.0000000001261000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2075664185.0000000001215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086129088.0000000001261000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2085214502.0000000001259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075542118.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00790228 0_2_00790228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C4040 0_2_007C4040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00792030 0_2_00792030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00781000 0_2_00781000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007CA0D0 0_2_007CA0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00785160 0_2_00785160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007871F0 0_2_007871F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078E1A0 0_2_0078E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007812F7 0_2_007812F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 0_2_0094B200
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B82D0 0_2_007B82D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B12D0 0_2_007B12D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2639A 0_2_00A2639A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078A300 0_2_0078A300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B23E0 0_2_007B23E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078B3A0 0_2_0078B3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007813A3 0_2_007813A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008A0360 0_2_008A0360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007AC470 0_2_007AC470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009444AC 0_2_009444AC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B64F0 0_2_007B64F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0079049B 0_2_0079049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00794487 0_2_00794487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008A55BA 0_2_008A55BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008BB5D2 0_2_008BB5D2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0079C5F0 0_2_0079C5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007835B0 0_2_007835B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00788590 0_2_00788590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C8652 0_2_007C8652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078164F 0_2_0078164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BF620 0_2_007BF620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C86F0 0_2_007C86F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B1860 0_2_007B1860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078A850 0_2_0078A850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00958827 0_2_00958827
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BB8C0 0_2_007BB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BE8A0 0_2_007BE8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0093F9CC 0_2_0093F9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C89A0 0_2_007C89A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007A098B 0_2_007A098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C4A40 0_2_007C4A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C7AB0 0_2_007C7AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C8A80 0_2_007C8A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C1B9D 0_2_008C1B9D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0079DB6F 0_2_0079DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00951BCE 0_2_00951BCE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00787BF0 0_2_00787BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00829B1A 0_2_00829B1A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094CB5C 0_2_0094CB5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00956CAB 0_2_00956CAB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00955CDA 0_2_00955CDA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C8C02 0_2_007C8C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007ACCD0 0_2_007ACCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C6CBF 0_2_007C6CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007A8D62 0_2_007A8D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007ADD29 0_2_007ADD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007AFD10 0_2_007AFD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0082ED66 0_2_0082ED66
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C8E70 0_2_007C8E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007AAE57 0_2_007AAE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00794E2A 0_2_00794E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00796EBF 0_2_00796EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078BEB0 0_2_0078BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F9FCB 0_2_009F9FCB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078AF10 0_2_0078AF10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00788FD0 0_2_00788FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C7FC0 0_2_007C7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00939F43 0_2_00939F43
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0079D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0078CAA0 appears 48 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994134179042904
Source: file.exe Static PE information: Section: ailacznz ZLIB complexity 0.9945220854280926
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@10/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B8220 CoCreateInstance, 0_2_007B8220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 1850368 > 1048576
Source: file.exe Static PE information: Raw size of ailacznz is bigger than: 0x100000 < 0x19a400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.780000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ailacznz:EW;ftzdjqez:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ailacznz:EW;ftzdjqez:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1d1e7d should be: 0x1d2fab
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: ailacznz
Source: file.exe Static PE information: section name: ftzdjqez
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0099509B push edi; mov dword ptr [esp], 51786D00h 0_2_009950BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A3C089 push ebx; mov dword ptr [esp], ecx 0_2_00A3C10E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F70E0 push 08CA5931h; mov dword ptr [esp], edx 0_2_009F70FC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F70E0 push eax; mov dword ptr [esp], esi 0_2_009F713A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F70E0 push edx; mov dword ptr [esp], edi 0_2_009F71A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F70E0 push ecx; mov dword ptr [esp], eax 0_2_009F7242
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0096D1AA push esi; mov dword ptr [esp], eax 0_2_0096D709
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A491C4 push 1D3BA9D4h; mov dword ptr [esp], ebp 0_2_00A491DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A491C4 push 42DDC30Fh; mov dword ptr [esp], edi 0_2_00A49680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0095C1EB push 12848C1Ch; mov dword ptr [esp], edi 0_2_0095C37A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0095C1EB push edi; mov dword ptr [esp], 0DF8A17Ah 0_2_0095C457
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009CA10D push 4BC4E925h; mov dword ptr [esp], esi 0_2_009CA1AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F6103 push ebx; mov dword ptr [esp], 1CFD8A9Bh 0_2_009F613D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F6103 push ebp; mov dword ptr [esp], 73FFE87Ah 0_2_009F616C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F6103 push edx; mov dword ptr [esp], eax 0_2_009F6186
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A10101 push edi; mov dword ptr [esp], esi 0_2_00A10149
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A10101 push ebx; mov dword ptr [esp], edx 0_2_00A10172
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009DA12D push edx; mov dword ptr [esp], edi 0_2_009DA184
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009DA12D push eax; mov dword ptr [esp], ecx 0_2_009DA1CB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009DA12D push 3B1B2842h; mov dword ptr [esp], esi 0_2_009DA1EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097214F push ebp; mov dword ptr [esp], edx 0_2_00972159
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007CF249 push edx; ret 0_2_007CF24B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push eax; mov dword ptr [esp], ecx 0_2_0094B26D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push 09044893h; mov dword ptr [esp], edx 0_2_0094B28B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push esi; mov dword ptr [esp], 7BF5FDEDh 0_2_0094B290
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push 687BC467h; mov dword ptr [esp], eax 0_2_0094B2FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push edx; mov dword ptr [esp], ecx 0_2_0094B34E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push 4701CF00h; mov dword ptr [esp], ecx 0_2_0094B359
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push esi; mov dword ptr [esp], 5DAF0DFCh 0_2_0094B407
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push 41D14914h; mov dword ptr [esp], edx 0_2_0094B429
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094B200 push ecx; mov dword ptr [esp], esp 0_2_0094B44B
Source: file.exe Static PE information: section name: entropy: 7.9737388508474325
Source: file.exe Static PE information: section name: ailacznz entropy: 7.953996751177959

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E3A29 second address: 7E3A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95F3EA second address: 95F3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95F3EE second address: 95F415 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF518700CBFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF518700CBEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95F415 second address: 95F419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95F419 second address: 95F41F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9627E8 second address: 9627EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9627EC second address: 9627F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9627F2 second address: 9627F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9627F7 second address: 962827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF518700CB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e ja 00007FF518700CC8h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962827 second address: 962831 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF5188675A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962831 second address: 962837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962837 second address: 96286E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FF5188675B0h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF5188675B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96286E second address: 7E3A29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop eax 0x00000008 pushad 0x00000009 mov dword ptr [ebp+122D1895h], esi 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 push dword ptr [ebp+122D116Dh] 0x00000018 mov esi, dword ptr [ebp+122D2C0Ch] 0x0000001e call dword ptr [ebp+122D309Eh] 0x00000024 pushad 0x00000025 xor dword ptr [ebp+122D20BEh], eax 0x0000002b xor eax, eax 0x0000002d sub dword ptr [ebp+122D1ABEh], edx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 pushad 0x00000038 jmp 00007FF518700CC4h 0x0000003d jmp 00007FF518700CBCh 0x00000042 popad 0x00000043 mov dword ptr [ebp+122D2A98h], eax 0x00000049 mov dword ptr [ebp+122D20BEh], edx 0x0000004f mov esi, 0000003Ch 0x00000054 sub dword ptr [ebp+122D1CB9h], eax 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e pushad 0x0000005f cld 0x00000060 mov ecx, eax 0x00000062 popad 0x00000063 pushad 0x00000064 mov eax, dword ptr [ebp+122D2ACCh] 0x0000006a add dword ptr [ebp+122D1F48h], edx 0x00000070 popad 0x00000071 lodsw 0x00000073 jg 00007FF518700CC4h 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d cld 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 add dword ptr [ebp+122D34E4h], esi 0x00000088 nop 0x00000089 push eax 0x0000008a push edx 0x0000008b pushad 0x0000008c jp 00007FF518700CB6h 0x00000092 push eax 0x00000093 push edx 0x00000094 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9629C5 second address: 9629CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962AA1 second address: 962AC7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov si, DE55h 0x0000000e sub dword ptr [ebp+122D1EC3h], edx 0x00000014 push 00000000h 0x00000016 xor dword ptr [ebp+122D19A2h], eax 0x0000001c push CC1DBC56h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962AC7 second address: 962ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962ACB second address: 962B87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF518700CC7h 0x0000000b popad 0x0000000c add dword ptr [esp], 33E2442Ah 0x00000013 movsx esi, si 0x00000016 jmp 00007FF518700CBCh 0x0000001b push 00000003h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007FF518700CB8h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 call 00007FF518700CC6h 0x0000003c jl 00007FF518700CBCh 0x00000042 mov esi, dword ptr [ebp+122D2AD0h] 0x00000048 pop esi 0x00000049 push 00000000h 0x0000004b xor dword ptr [ebp+122D30E5h], ebx 0x00000051 push 00000003h 0x00000053 jbe 00007FF518700CBCh 0x00000059 adc edx, 6EDD9B52h 0x0000005f push BC6F6217h 0x00000064 pushad 0x00000065 pushad 0x00000066 jmp 00007FF518700CC6h 0x0000006b jne 00007FF518700CB6h 0x00000071 popad 0x00000072 push eax 0x00000073 push edx 0x00000074 jnp 00007FF518700CB6h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962B87 second address: 962BD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 03909DE9h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FF5188675A8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 lea ebx, dword ptr [ebp+12452713h] 0x0000002e mov edi, dword ptr [ebp+122D2B54h] 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 pushad 0x00000039 popad 0x0000003a jnc 00007FF5188675A6h 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962C1C second address: 962C20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962C20 second address: 962C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962C26 second address: 962C60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FF518700CB6h 0x00000009 jg 00007FF518700CB6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 mov esi, 0BCB34CEh 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D30E5h], eax 0x00000022 call 00007FF518700CB9h 0x00000027 pushad 0x00000028 jmp 00007FF518700CBAh 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962C60 second address: 962C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962C64 second address: 962C7E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 jnl 00007FF518700CB8h 0x0000000f pop edi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962C7E second address: 962CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jne 00007FF5188675AAh 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 jmp 00007FF5188675B2h 0x0000001b pop eax 0x0000001c jmp 00007FF5188675B9h 0x00000021 push 00000003h 0x00000023 xor dword ptr [ebp+122D30D2h], edx 0x00000029 push 00000000h 0x0000002b jmp 00007FF5188675AAh 0x00000030 push 00000003h 0x00000032 pushad 0x00000033 clc 0x00000034 mov ecx, dword ptr [ebp+122D31B9h] 0x0000003a popad 0x0000003b push 68EA667Ch 0x00000040 pushad 0x00000041 jbe 00007FF5188675A8h 0x00000047 pushad 0x00000048 popad 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 962CF0 second address: 962D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 add dword ptr [esp], 57159984h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FF518700CB8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 lea ebx, dword ptr [ebp+1245271Eh] 0x0000002f mov edi, dword ptr [ebp+122D19DFh] 0x00000035 xchg eax, ebx 0x00000036 jno 00007FF518700CBEh 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 jno 00007FF518700CB6h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981620 second address: 981625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981625 second address: 98162B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9817B7 second address: 9817F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FF5188675ADh 0x0000000b popad 0x0000000c jc 00007FF5188675A8h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007FF5188675B6h 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9817F2 second address: 9817FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9817FA second address: 981800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981800 second address: 981819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF518700CC1h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981BF2 second address: 981BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981BFB second address: 981C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981C01 second address: 981C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981C05 second address: 981C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981C09 second address: 981C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981D58 second address: 981D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FF518700CB6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981EA7 second address: 981EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981EB1 second address: 981EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981EB7 second address: 981EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981EBE second address: 981EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981EC4 second address: 981ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF5188675A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98205B second address: 982062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9824BB second address: 9824D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9824D5 second address: 9824F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF518700CBFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9824F4 second address: 982531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF5188675B7h 0x00000008 jmp 00007FF5188675B2h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF5188675ACh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982531 second address: 98253B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF518700CB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 977806 second address: 977826 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FF5188675B3h 0x0000000a jnc 00007FF5188675A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9827CF second address: 9827E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF518700CBAh 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9827E2 second address: 9827E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982D46 second address: 982D4B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98302A second address: 98305A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FF5188675B2h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jnl 00007FF5188675A6h 0x0000001a jl 00007FF5188675A6h 0x00000020 popad 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98305A second address: 983077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF518700CC8h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9834DD second address: 9834E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF5188675A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9834E7 second address: 983516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FF518700CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF518700CBCh 0x00000012 jmp 00007FF518700CC3h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 989584 second address: 98958A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98958A second address: 98959A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94AD04 second address: 94AD45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push ebx 0x00000009 jns 00007FF5188675A6h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FF5188675BFh 0x0000001a jmp 00007FF5188675B7h 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007FF5188675AEh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94AD45 second address: 94AD4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94AD4A second address: 94AD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94AD50 second address: 94AD5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnl 00007FF518700CB6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 954BE1 second address: 954BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 954BEB second address: 954BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 954BF1 second address: 954BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990470 second address: 99047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98FFFE second address: 990009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990009 second address: 99000D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99000D second address: 990013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990013 second address: 990020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990020 second address: 990024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990024 second address: 990036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990036 second address: 99004A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF5188675B0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99018F second address: 9901B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF518700CC7h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9901B2 second address: 9901D1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF5188675B9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9901D1 second address: 9901D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9901D9 second address: 9901DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99032D second address: 990343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF518700CBBh 0x00000009 jg 00007FF518700CB6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9923A3 second address: 9923A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9923A9 second address: 9923F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF518700CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 078EA93Eh 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FF518700CB8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d xor di, 7893h 0x00000032 push F2BA20B5h 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push esi 0x0000003b pop esi 0x0000003c jnc 00007FF518700CB6h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9926B9 second address: 9926CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FF5188675ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9926CB second address: 9926CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9926CF second address: 9926D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9927B4 second address: 9927B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9927B8 second address: 9927BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992FF3 second address: 993010 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9930C5 second address: 9930CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9931E9 second address: 9931ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9931ED second address: 993203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FF5188675ACh 0x00000010 jne 00007FF5188675A6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993488 second address: 993498 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF518700CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9951D4 second address: 995239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF5188675B0h 0x00000009 popad 0x0000000a push eax 0x0000000b jo 00007FF5188675AAh 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 nop 0x00000016 push 00000000h 0x00000018 call 00007FF5188675AFh 0x0000001d jmp 00007FF5188675ABh 0x00000022 pop edi 0x00000023 push 00000000h 0x00000025 jnp 00007FF5188675A9h 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e jc 00007FF5188675B9h 0x00000034 jmp 00007FF5188675B3h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 995239 second address: 99524F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF518700CC2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 995BF3 second address: 995BFD instructions: 0x00000000 rdtsc 0x00000002 je 00007FF5188675A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 995A03 second address: 995A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e js 00007FF518700CB6h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 995A18 second address: 995A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF5188675AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 995A2B second address: 995A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 997F9B second address: 997FA1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 999F16 second address: 999F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99D98A second address: 99D9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF5188675A6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d je 00007FF5188675B8h 0x00000013 jmp 00007FF5188675B2h 0x00000018 nop 0x00000019 push eax 0x0000001a jmp 00007FF5188675AFh 0x0000001f pop edi 0x00000020 push 00000000h 0x00000022 mov ebx, dword ptr [ebp+122D2D48h] 0x00000028 mov dword ptr [ebp+1247AE7Ch], esi 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D1A0Ch], ecx 0x00000036 push eax 0x00000037 js 00007FF5188675B0h 0x0000003d push eax 0x0000003e push edx 0x0000003f push edi 0x00000040 pop edi 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99CBF5 second address: 99CBFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F9BC second address: 99F9C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99EC33 second address: 99EC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F9C0 second address: 99F9C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99EC37 second address: 99EC3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A09E0 second address: 9A09E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A09E5 second address: 9A09F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A09F5 second address: 9A09FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A09FB second address: 9A0A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A0A01 second address: 9A0A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A0A05 second address: 9A0A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FF518700CB8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 and edi, 316A4A72h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FF518700CB8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push ecx 0x00000048 jmp 00007FF518700CBBh 0x0000004d pop ebx 0x0000004e mov di, bx 0x00000051 xchg eax, esi 0x00000052 pushad 0x00000053 push eax 0x00000054 jmp 00007FF518700CBFh 0x00000059 pop eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push edi 0x0000005d pop edi 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A0A79 second address: 9A0A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A0A7D second address: 9A0A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jng 00007FF518700CB6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A28B9 second address: 9A28BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A28BD second address: 9A28E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF518700CC3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A28E4 second address: 9A28E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A4A87 second address: 9A4A8D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A3B80 second address: 9A3BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF5188675A6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF5188675B9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A3BA8 second address: 9A3BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A695B second address: 9A699E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FF5188675ACh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF5188675B6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A699E second address: 9A69AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A69AF second address: 9A69B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A6BBC second address: 9A6BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FF518700CB6h 0x00000009 jmp 00007FF518700CC0h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A6BDF second address: 9A6BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A6BE3 second address: 9A6BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A4C32 second address: 9A4C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A4C38 second address: 9A4C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A4C3C second address: 9A4CE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov di, B3CDh 0x0000000f push dword ptr fs:[00000000h] 0x00000016 or dword ptr [ebp+12484020h], ebx 0x0000001c mov ebx, dword ptr [ebp+122D1E31h] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FF5188675A8h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 mov di, ax 0x00000046 mov eax, dword ptr [ebp+122D02C9h] 0x0000004c push 00000000h 0x0000004e push ebp 0x0000004f call 00007FF5188675A8h 0x00000054 pop ebp 0x00000055 mov dword ptr [esp+04h], ebp 0x00000059 add dword ptr [esp+04h], 0000001Ch 0x00000061 inc ebp 0x00000062 push ebp 0x00000063 ret 0x00000064 pop ebp 0x00000065 ret 0x00000066 push FFFFFFFFh 0x00000068 nop 0x00000069 pushad 0x0000006a jmp 00007FF5188675B6h 0x0000006f jmp 00007FF5188675AEh 0x00000074 popad 0x00000075 push eax 0x00000076 push edi 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A4CE0 second address: 9A4CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A9B5D second address: 9A9BC9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF5188675ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FF5188675AFh 0x00000011 je 00007FF5188675BAh 0x00000017 jmp 00007FF5188675B4h 0x0000001c popad 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007FF5188675A8h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c sub di, 8249h 0x00000041 push eax 0x00000042 push ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8C91 second address: 9A8C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8C95 second address: 9A8D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D30E0h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FF5188675A8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 xor dword ptr [ebp+122D198Bh], eax 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov dword ptr [ebp+122D1895h], eax 0x00000044 mov eax, dword ptr [ebp+122D0709h] 0x0000004a mov edi, 306C3724h 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push edx 0x00000054 call 00007FF5188675A8h 0x00000059 pop edx 0x0000005a mov dword ptr [esp+04h], edx 0x0000005e add dword ptr [esp+04h], 00000019h 0x00000066 inc edx 0x00000067 push edx 0x00000068 ret 0x00000069 pop edx 0x0000006a ret 0x0000006b add di, 63AEh 0x00000070 nop 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 push ecx 0x00000076 pop ecx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8D1C second address: 9A8D2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AAC7C second address: 9AACF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FF5188675A8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 xor ebx, dword ptr [ebp+122D2A54h] 0x0000002c call 00007FF5188675AAh 0x00000031 mov di, ax 0x00000034 pop ebx 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D195Dh], ecx 0x0000003d push 00000000h 0x0000003f jnl 00007FF5188675A9h 0x00000045 push eax 0x00000046 jl 00007FF5188675C7h 0x0000004c push eax 0x0000004d push edx 0x0000004e jc 00007FF5188675A6h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A9CDD second address: 9A9CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A9CE1 second address: 9A9CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9ABC76 second address: 9ABC98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF518700CB6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF518700CC1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9ABC98 second address: 9ABCFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF5188675B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov ebx, ecx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FF5188675A8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c jnc 00007FF5188675ACh 0x00000032 stc 0x00000033 push 00000000h 0x00000035 mov ebx, dword ptr [ebp+122D2C60h] 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f pop eax 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AAE32 second address: 9AAE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AAE36 second address: 9AAE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE0F5 second address: 9AE0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE0F9 second address: 9AE115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF5188675B6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94767A second address: 9476A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBEh 0x00000007 jmp 00007FF518700CBFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9476A1 second address: 9476B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF5188675AAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B4CE7 second address: 9B4CF6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF518700CB8h 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 956793 second address: 9567A0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF5188675A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9567A0 second address: 9567A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B44B5 second address: 9B44BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B4785 second address: 9B479E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF518700CBFh 0x00000009 jl 00007FF518700CB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B479E second address: 9B47A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BAA9A second address: 9BAAA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BAAA0 second address: 9BAAC1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF5188675B0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnp 00007FF5188675B0h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BAAC1 second address: 9BAACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BAACF second address: 9BAAFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FF5188675ACh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BAAFB second address: 9BAB00 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BAD38 second address: 9BAD3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BAD3D second address: 7E3A29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FF518700CB6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 0E5BC436h 0x00000013 cld 0x00000014 push dword ptr [ebp+122D116Dh] 0x0000001a jmp 00007FF518700CC0h 0x0000001f call dword ptr [ebp+122D309Eh] 0x00000025 pushad 0x00000026 xor dword ptr [ebp+122D20BEh], eax 0x0000002c xor eax, eax 0x0000002e sub dword ptr [ebp+122D1ABEh], edx 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 pushad 0x00000039 jmp 00007FF518700CC4h 0x0000003e jmp 00007FF518700CBCh 0x00000043 popad 0x00000044 mov dword ptr [ebp+122D2A98h], eax 0x0000004a mov dword ptr [ebp+122D20BEh], edx 0x00000050 mov esi, 0000003Ch 0x00000055 sub dword ptr [ebp+122D1CB9h], eax 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f pushad 0x00000060 cld 0x00000061 mov ecx, eax 0x00000063 popad 0x00000064 pushad 0x00000065 mov eax, dword ptr [ebp+122D2ACCh] 0x0000006b add dword ptr [ebp+122D1F48h], edx 0x00000071 popad 0x00000072 lodsw 0x00000074 jg 00007FF518700CC4h 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e cld 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 add dword ptr [ebp+122D34E4h], esi 0x00000089 nop 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d jp 00007FF518700CB6h 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF4B6 second address: 9BF4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF4BD second address: 9BF501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF518700CC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FF518700CC9h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jg 00007FF518700CC2h 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF665 second address: 9BF66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF66B second address: 9BF671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF78A second address: 9BF7A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF5188675AAh 0x00000008 jnc 00007FF5188675A6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF7A4 second address: 9BF7AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF518700CB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF8D2 second address: 9BF8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF8D6 second address: 9BF8FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF518700CC8h 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF8FC second address: 9BF900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BF900 second address: 9BF90C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFA63 second address: 9BFA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFA67 second address: 9BFA6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE43 second address: 9BFE55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE55 second address: 9BFE5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C4BC4 second address: 9C4BD2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF5188675A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C4BD2 second address: 9C4C10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF518700CC3h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF518700CBDh 0x0000000f popad 0x00000010 push ecx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF518700CC0h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C4C10 second address: 9C4C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C4D51 second address: 9C4D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C4EE1 second address: 9C4EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF5188675A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C5050 second address: 9C5075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF518700CBEh 0x00000009 popad 0x0000000a pushad 0x0000000b jnl 00007FF518700CB6h 0x00000011 pushad 0x00000012 popad 0x00000013 js 00007FF518700CB6h 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C51CE second address: 9C51FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF5188675ADh 0x00000009 jp 00007FF5188675A6h 0x0000000f popad 0x00000010 jc 00007FF5188675B2h 0x00000016 jmp 00007FF5188675ACh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C51FC second address: 9C5200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C5200 second address: 9C5210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FF5188675A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C5362 second address: 9C5366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C54E1 second address: 9C54E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C54E5 second address: 9C54E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C54E9 second address: 9C54EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9782BA second address: 9782BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9782BE second address: 9782DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF5188675AAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FF5188675ADh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9782DE second address: 9782E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C596E second address: 9C597A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF5188675A6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C951F second address: 9C956A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jne 00007FF518700CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 je 00007FF518700CB6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c popad 0x0000001d pushad 0x0000001e jmp 00007FF518700CC2h 0x00000023 push eax 0x00000024 push edx 0x00000025 push edi 0x00000026 pop edi 0x00000027 jmp 00007FF518700CC7h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990DB3 second address: 990DB9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990DB9 second address: 990DF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF518700CBFh 0x00000008 jbe 00007FF518700CB6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007FF518700CC6h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99143A second address: 99144B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FF5188675A8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991C51 second address: 991C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FF518700CB8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991D6A second address: 991D6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991F85 second address: 991F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991F8B second address: 991F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991F8F second address: 991F9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991F9E second address: 991FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991FA2 second address: 991FA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991FA8 second address: 9782BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007FF5188675A6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movzx edi, bx 0x00000010 mov ecx, dword ptr [ebp+122D19D3h] 0x00000016 lea eax, dword ptr [ebp+12480A0Ah] 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007FF5188675A8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 jc 00007FF5188675ABh 0x0000003c pushad 0x0000003d stc 0x0000003e mov edx, eax 0x00000040 popad 0x00000041 or ecx, dword ptr [ebp+122D30B7h] 0x00000047 push eax 0x00000048 jmp 00007FF5188675B4h 0x0000004d mov dword ptr [esp], eax 0x00000050 sbb dx, D7B5h 0x00000055 lea eax, dword ptr [ebp+124809C6h] 0x0000005b jbe 00007FF5188675ACh 0x00000061 push eax 0x00000062 jmp 00007FF5188675AFh 0x00000067 mov dword ptr [esp], eax 0x0000006a movsx edi, ax 0x0000006d call dword ptr [ebp+12453473h] 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C994D second address: 9C995F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF518700CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF518700CB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C995F second address: 9C9963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C9963 second address: 9C9978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF518700CBFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C9978 second address: 9C9993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF5188675AAh 0x00000008 jmp 00007FF5188675ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C9ACA second address: 9C9AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF518700CC4h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CDB8E second address: 9CDB92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D35FC second address: 9D361E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF518700CCAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D361E second address: 9D3624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D38F6 second address: 9D38FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D38FD second address: 9D3903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D6F6E second address: 9D6F72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DA210 second address: 9DA243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675B0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF5188675ACh 0x00000010 jmp 00007FF5188675AAh 0x00000015 popad 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D9DA0 second address: 9D9DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DB89A second address: 9DB8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007FF5188675A6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DB8A7 second address: 9DB8AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DB8AC second address: 9DB8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF5188675A6h 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 ja 00007FF5188675A6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DE91F second address: 9DE929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF518700CB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DE929 second address: 9DE92F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DE92F second address: 9DE940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jnp 00007FF518700CB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94400A second address: 94400E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6D97 second address: 9E6DBA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edx 0x00000008 jmp 00007FF518700CC1h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jc 00007FF518700CB6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E703E second address: 9E7095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF5188675B9h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF5188675AEh 0x00000011 ja 00007FF5188675C9h 0x00000017 jmp 00007FF5188675B2h 0x0000001c jmp 00007FF5188675B1h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E7095 second address: 9E709A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E71C6 second address: 9E71D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E71D5 second address: 9E71DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991AB0 second address: 991AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991AB6 second address: 991B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, cx 0x00000011 mov ebx, dword ptr [ebp+12480A05h] 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FF518700CB8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 jl 00007FF518700CCDh 0x00000037 pushad 0x00000038 movsx eax, si 0x0000003b call 00007FF518700CC1h 0x00000040 pop ecx 0x00000041 popad 0x00000042 add eax, ebx 0x00000044 mov ecx, 004B8506h 0x00000049 movsx edx, ax 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push esi 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991B20 second address: 991B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991B25 second address: 991B3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007FF518700CC4h 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FF518700CB6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EA6DE second address: 9EA6F0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF5188675A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FF5188675A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EDC12 second address: 9EDC20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FF518700CB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EDC20 second address: 9EDC39 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FF5188675AEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EDC39 second address: 9EDC44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF518700CB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE3BE second address: 9EE3C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6DE4 second address: 9F6E18 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF518700CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FF518700CBEh 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007FF518700CB6h 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF518700CC6h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6E18 second address: 9F6E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6E1C second address: 9F6E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF518700CC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6E38 second address: 9F6E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6E3C second address: 9F6E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6E40 second address: 9F6E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F5368 second address: 9F536C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6249 second address: 9F6256 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF5188675A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6256 second address: 9F6260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6260 second address: 9F6266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F67CF second address: 9F67D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F67D3 second address: 9F67F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FF5188675B2h 0x0000000f jl 00007FF5188675A6h 0x00000015 jne 00007FF5188675A6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F67F5 second address: 9F67FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6ADB second address: 9F6AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6AE4 second address: 9F6AF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF518700CB6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6AF0 second address: 9F6B00 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF5188675A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6B00 second address: 9F6B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F6B04 second address: 9F6B0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F9F17 second address: 9F9F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FF518700CB8h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F9F34 second address: 9F9F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F9F38 second address: 9F9F48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FA793 second address: 9FA7BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675AFh 0x00000007 jmp 00007FF5188675B9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FA7BF second address: 9FA7D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CBCh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FA962 second address: 9FA96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF5188675A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FA96C second address: 9FA975 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FAAD7 second address: 9FAADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A01980 second address: A01984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A079E5 second address: A07A05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675B6h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A07A05 second address: A07A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A07B6F second address: A07B83 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF5188675A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FF5188675A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0865B second address: A0866B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007FF518700CB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A09629 second address: A09639 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF5188675B2h 0x00000008 js 00007FF5188675A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A07505 second address: A0750A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0FEAB second address: A0FEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0FFFC second address: A1000A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FF518700CB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1000A second address: A1001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1001F second address: A10025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10025 second address: A10029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10029 second address: A1002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1CE69 second address: A1CE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A220AF second address: A220DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF518700CC8h 0x0000000d jmp 00007FF518700CBBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A220DA second address: A220E4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF5188675B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A220E4 second address: A220EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A21D58 second address: A21D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FF5188675ACh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A21D6C second address: A21D77 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A21D77 second address: A21D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF5188675AFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A307F5 second address: A307FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A39F05 second address: A39F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A39F09 second address: A39F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF518700CBDh 0x0000000c je 00007FF518700CB6h 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A089 second address: A3A093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF5188675A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A093 second address: A3A09D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF518700CB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A388 second address: A3A392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF5188675A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A392 second address: A3A3B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A3B0 second address: A3A3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A3B6 second address: A3A3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 ja 00007FF518700CB6h 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A3C8 second address: A3A3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A3D7 second address: A3A3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3AF42 second address: A3AF4E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3AF4E second address: A3AF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3AF52 second address: A3AF56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3AF56 second address: A3AF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF518700CC9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3D923 second address: A3D96B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675B7h 0x00000007 jmp 00007FF5188675B7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 jp 00007FF5188675ACh 0x00000016 jg 00007FF5188675A6h 0x0000001c jp 00007FF5188675C2h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5B5CA second address: A5B609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FF518700CC5h 0x0000000e jmp 00007FF518700CBEh 0x00000013 popad 0x00000014 jmp 00007FF518700CC2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5B609 second address: A5B625 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675B0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FF5188675A6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D377 second address: A5D393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF518700CC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D393 second address: A5D399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D399 second address: A5D39F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D39F second address: A5D3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FF5188675ACh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D3B7 second address: A5D3C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D4E9 second address: A5D4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D4ED second address: A5D4F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75D40 second address: A75D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75D49 second address: A75D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnp 00007FF518700CB6h 0x0000000c je 00007FF518700CB6h 0x00000012 js 00007FF518700CB6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75D62 second address: A75D71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 jno 00007FF5188675A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75EB4 second address: A75EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF518700CB6h 0x0000000a jmp 00007FF518700CC6h 0x0000000f popad 0x00000010 pop edi 0x00000011 pushad 0x00000012 ja 00007FF518700CBCh 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7618B second address: A76199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76199 second address: A7619F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7673A second address: A7673E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7673E second address: A7674F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007FF518700CD2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7674F second address: A76753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76753 second address: A76761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FF518700CBEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A768CE second address: A768D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A768D5 second address: A7690B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF518700CC4h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF518700CC1h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7690B second address: A7691A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF5188675ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76BDB second address: A76BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A78554 second address: A78558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A78558 second address: A7856D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FF518700CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jnl 00007FF518700CB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7856D second address: A78578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A78578 second address: A78586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF518700CBAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A78586 second address: A7858C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7858C second address: A785A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FF518700CC2h 0x0000000c push ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A785A9 second address: A785B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7ADA7 second address: A7ADAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7ADAC second address: A7ADCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FF5188675A6h 0x00000009 je 00007FF5188675A6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF5188675AEh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7B091 second address: A7B0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF518700CB6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c mov dword ptr [esp], eax 0x0000000f push ecx 0x00000010 mov dh, al 0x00000012 pop edx 0x00000013 mov edx, dword ptr [ebp+12450216h] 0x00000019 push 00000004h 0x0000001b call 00007FF518700CBAh 0x00000020 xor dh, 00000016h 0x00000023 pop edx 0x00000024 mov edx, edi 0x00000026 push 5047B3E0h 0x0000002b jg 00007FF518700CBEh 0x00000031 push ecx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7CD26 second address: A7CD2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7CD2B second address: A7CD31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7CD31 second address: A7CD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7CD3B second address: A7CD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7E7EC second address: A7E808 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF5188675B6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7E808 second address: A7E819 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF518700CB6h 0x00000009 jbe 00007FF518700CB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959DF2 second address: 959DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0CAB second address: 50C0D41 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, dword ptr [eax+00000FDCh] 0x0000000d jmp 00007FF518700CBAh 0x00000012 test ecx, ecx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FF518700CBEh 0x0000001b or eax, 1A75E058h 0x00000021 jmp 00007FF518700CBBh 0x00000026 popfd 0x00000027 mov bh, ah 0x00000029 popad 0x0000002a jns 00007FF518700CD7h 0x00000030 jmp 00007FF518700CBBh 0x00000035 add eax, ecx 0x00000037 pushad 0x00000038 mov ebx, ecx 0x0000003a jmp 00007FF518700CC0h 0x0000003f popad 0x00000040 mov eax, dword ptr [eax+00000860h] 0x00000046 jmp 00007FF518700CC0h 0x0000004b test eax, eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FF518700CC7h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0D41 second address: 50C0D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF5188675B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0D59 second address: 50C0D5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0D5D second address: 50C0D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FF58921D5A0h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0D71 second address: 50C0D77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7E3A90 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7E3A1D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 986871 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 990E76 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7E3996 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 2792 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2085433614.0000000000969000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2085241301.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075664185.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086073758.00000000011F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW<
Source: file.exe, 00000000.00000003.2085241301.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086073758.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085908053.000000000117E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075866420.0000000001207000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2085433614.0000000000969000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C5BB0 LdrInitializeThunk, 0_2_007C5BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: spirittunek.stor
Source: file.exe String found in binary or memory: bathdoomgaz.stor
Source: file.exe String found in binary or memory: studennotediw.stor
Source: file.exe String found in binary or memory: dissapoiznw.stor
Source: file.exe String found in binary or memory: eaglepawnoy.stor
Source: file.exe String found in binary or memory: mobbipenju.stor
Source: file.exe, file.exe, 00000000.00000002.2085433614.0000000000969000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 53Program Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528660 Sample: file.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 10 sergei-esenin.com 2->10 12 licendfilteo.site 2->12 14 8 other IPs or domains 2->14 20 Multi AV Scanner detection for domain / URL 2->20 22 Suricata IDS alerts for network traffic 2->22 24 Found malware configuration 2->24 26 9 other signatures 2->26 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 sergei-esenin.com 172.67.206.204, 443, 49705 CLOUDFLARENETUS United States 6->16 18 steamcommunity.com 104.102.49.254, 443, 49704 AKAMAI-ASUS United States 6->18 28 Detected unpacking (changes PE section rights) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 Tries to evade debugger and weak emulator (self modifying code) 6->32 34 4 other signatures 6->34 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
sergei-esenin.com 172.67.206.204 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
studennotediw.stor true
    		unknown
    mobbipenju.stor true
      		unknown
      https://steamcommunity.com/profiles/76561199724331900 true
      • URL Reputation: malware
      		 unknown
      bathdoomgaz.stor true
        		unknown
        dissapoiznw.stor true
          		unknown
          spirittunek.stor true
            		unknown
            eaglepawnoy.stor true
              		unknown
              clearancek.site true unknown
              licendfilteo.site true unknown
              https://sergei-esenin.com/api true
                		unknown