Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1528876
MD5: f6573e376463c493395a0189bd5b6a54
SHA1: 3e297be62c83074742fb4e6515fa80e700be85de
SHA256: 1cd1a6c8b63ce8cf1ac0de34237bcbdac46f8c613536c7f1e7ad0091420def25
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: file.exe.5948.1.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["mobbipenju.store", "bathdoomgaz.storec", "clearancek.site", "licendfilteo.sitec", "studennotediw.storec", "eaglepawnoy.storec", "dissapoiznw.storec", "spirittunek.storec"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for domain / URL
Source: sergei-esenin.com Virustotal: Detection: 11% Perma Link
Source: bathdoomgaz.store Virustotal: Detection: 13% Perma Link
Source: licendfilteo.site Virustotal: Detection: 15% Perma Link
Source: spirittunek.store Virustotal: Detection: 13% Perma Link
Source: dissapoiznw.store Virustotal: Detection: 13% Perma Link
Source: clearancek.site Virustotal: Detection: 17% Perma Link
Source: studennotediw.store Virustotal: Detection: 17% Perma Link
Source: eaglepawnoy.store Virustotal: Detection: 17% Perma Link
Source: mobbipenju.store Virustotal: Detection: 13% Perma Link
Source: https://sergei-esenin.com:443/api Virustotal: Detection: 13% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.stor
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.stor
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.stor
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.stor
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.stor
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.stor
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000001.00000002.2230232687.0000000000A81000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49713 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00AC50FA
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00A8D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00A8D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 1_2_00AC63B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00AC5700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 1_2_00AC99D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 1_2_00AC695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_00A8FCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_00AC6094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 1_2_00A96F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 1_2_00ABF030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 1_2_00A81000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 1_2_00AC4040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 1_2_00AAD1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 1_2_00A942FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 1_2_00AA2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 1_2_00AA2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 1_2_00AB23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 1_2_00AB23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 1_2_00AB23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_00AB23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 1_2_00AB23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 1_2_00AB23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 1_2_00A8A300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 1_2_00AC64B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 1_2_00AAE40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 1_2_00A9B410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 1_2_00AAC470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 1_2_00AC1440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00A9D457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 1_2_00A88590
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 1_2_00AC7520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 1_2_00A96536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00AA9510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 1_2_00AAE66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 1_2_00ABB650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 1_2_00AAD7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 1_2_00AC67EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 1_2_00AC7710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 1_2_00AA28E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 1_2_00A849A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 1_2_00AC3920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 1_2_00A9D961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 1_2_00A91ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 1_2_00A91A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 1_2_00AC4A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 1_2_00A85A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_00AB0B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 1_2_00A91BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 1_2_00A93BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 1_2_00A9DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 1_2_00A9DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 1_2_00AC9B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 1_2_00AAAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 1_2_00AAAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00AC9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 1_2_00AC9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 1_2_00AACCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00AACCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 1_2_00AACCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 1_2_00ABFC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 1_2_00AA7C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 1_2_00AAEC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00AC8D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 1_2_00AADD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 1_2_00AAFD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 1_2_00A86EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 1_2_00A96EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 1_2_00A8BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 1_2_00A91E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 1_2_00A90EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 1_2_00A94E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00AA7E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00AA5E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 1_2_00AAAE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 1_2_00A96F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 1_2_00AC7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00AC7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 1_2_00A9FFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_00A88FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_00AC5FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 1_2_00AA9F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00ABFF70

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:58722 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:54938 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:49909 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:61119 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:50036 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:51163 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:55674 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:52336 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: bathdoomgaz.storec
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: licendfilteo.sitec
Source: Malware configuration extractor URLs: studennotediw.storec
Source: Malware configuration extractor URLs: eaglepawnoy.storec
Source: Malware configuration extractor URLs: dissapoiznw.storec
Source: Malware configuration extractor URLs: spirittunek.storec
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000001.00000002.2231066264.00000000015DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.00000000015DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/.
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/Z$
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000001.00000002.2231066264.00000000015DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.00000000015DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiF
Source: file.exe, 00000001.00000003.2219908926.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000001.00000003.2219908926.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/=l
Source: file.exe, 00000001.00000002.2231066264.00000000015DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.00000000015DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/=o
Source: file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?su
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000001.00000003.2219908926.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000001.00000003.2219908926.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900J
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.0000000001596000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000001.00000003.2219888407.0000000001628000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000001.00000003.2219908926.00000000015E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49713 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A90228 1_2_00A90228
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00ACA0D0 1_2_00ACA0D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A92030 1_2_00A92030
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 1_2_00C60065
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A81000 1_2_00A81000
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC4040 1_2_00AC4040
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A8E1A0 1_2_00A8E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00CE918D 1_2_00CE918D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A871F0 1_2_00A871F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A85160 1_2_00A85160
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B3B15C 1_2_00B3B15C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A812F7 1_2_00A812F7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AB82D0 1_2_00AB82D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AB12D0 1_2_00AB12D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A8B3A0 1_2_00A8B3A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A813A3 1_2_00A813A3
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AB23E0 1_2_00AB23E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A8A300 1_2_00A8A300
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C56375 1_2_00C56375
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A94487 1_2_00A94487
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A9049B 1_2_00A9049B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AB64F0 1_2_00AB64F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AAC470 1_2_00AAC470
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A835B0 1_2_00A835B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00BD1592 1_2_00BD1592
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A88590 1_2_00A88590
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A9C5F0 1_2_00A9C5F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C54687 1_2_00C54687
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC86F0 1_2_00AC86F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C59698 1_2_00C59698
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00ABF620 1_2_00ABF620
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C5E671 1_2_00C5E671
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A8164F 1_2_00A8164F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC8652 1_2_00AC8652
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00ABE8A0 1_2_00ABE8A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00ABB8C0 1_2_00ABB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AB1860 1_2_00AB1860
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A8A850 1_2_00A8A850
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC89A0 1_2_00AC89A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AA098B 1_2_00AA098B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC7AB0 1_2_00AC7AB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC8A80 1_2_00AC8A80
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC4A40 1_2_00AC4A40
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A87BF0 1_2_00A87BF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C51B5D 1_2_00C51B5D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A9DB6F 1_2_00A9DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C52B0A 1_2_00C52B0A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC6CBF 1_2_00AC6CBF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B55CF0 1_2_00B55CF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AACCD0 1_2_00AACCD0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC8C02 1_2_00AC8C02
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C5BDCE 1_2_00C5BDCE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AADD29 1_2_00AADD29
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AAFD10 1_2_00AAFD10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AA8D62 1_2_00AA8D62
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A96EBF 1_2_00A96EBF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A8BEB0 1_2_00A8BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A94E2A 1_2_00A94E2A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC8E70 1_2_00AC8E70
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AAAE57 1_2_00AAAE57
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00BF6FBB 1_2_00BF6FBB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC7FC0 1_2_00AC7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A88FD0 1_2_00A88FD0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00A8AF10 1_2_00A8AF10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A8CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A9D300 appears 152 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9995487830033003
Source: file.exe Static PE information: Section: zrjduasp ZLIB complexity 0.9943019572617247
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@10/2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AB8220 CoCreateInstance, 1_2_00AB8220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: file.exe Static file information: File size 1862144 > 1048576
Source: file.exe Static PE information: Raw size of zrjduasp is bigger than: 0x100000 < 0x19d200

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.a80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;zrjduasp:EW;mirbuaqc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;zrjduasp:EW;mirbuaqc:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1c75a9 should be: 0x1d1f9b
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: zrjduasp
Source: file.exe Static PE information: section name: mirbuaqc
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00CF40DC push 259CFC36h; mov dword ptr [esp], edx 1_2_00CF40E4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00CF40DC push 192631FBh; mov dword ptr [esp], edx 1_2_00CF40FF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C93084 push 51C75ABBh; mov dword ptr [esp], eax 1_2_00C930A7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00D5D04F push ecx; mov dword ptr [esp], 290C9100h 1_2_00D5D15B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00D5D04F push ecx; mov dword ptr [esp], 73ED2AB2h 1_2_00D5D170
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 126DF301h; mov dword ptr [esp], ecx 1_2_00C60073
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push ebp; mov dword ptr [esp], eax 1_2_00C60178
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 1C897A5Ch; mov dword ptr [esp], edi 1_2_00C6030A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 7909E3FCh; mov dword ptr [esp], ecx 1_2_00C60451
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 7FDE1DE9h; mov dword ptr [esp], esi 1_2_00C60550
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push edx; mov dword ptr [esp], 71F7FBBAh 1_2_00C60582
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push ebx; mov dword ptr [esp], ecx 1_2_00C6069B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push ecx; mov dword ptr [esp], ebp 1_2_00C606BD
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push ebx; mov dword ptr [esp], 6FFD4B23h 1_2_00C60715
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push esi; mov dword ptr [esp], 4FBBAB48h 1_2_00C6075B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 4C418A67h; mov dword ptr [esp], edx 1_2_00C60779
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push ebp; mov dword ptr [esp], edx 1_2_00C607B4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push ebp; mov dword ptr [esp], ecx 1_2_00C60899
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 375D7A7Fh; mov dword ptr [esp], eax 1_2_00C608E4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 1A5F5500h; mov dword ptr [esp], ebx 1_2_00C6092F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push edi; mov dword ptr [esp], esp 1_2_00C609BD
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 1EB783DAh; mov dword ptr [esp], edx 1_2_00C609D5
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push edx; mov dword ptr [esp], ecx 1_2_00C60A28
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push eax; mov dword ptr [esp], edx 1_2_00C60A53
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 762EFEF1h; mov dword ptr [esp], esi 1_2_00C60B0F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 571D798Fh; mov dword ptr [esp], ebx 1_2_00C60C2F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push edi; mov dword ptr [esp], eax 1_2_00C60C54
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push ebx; mov dword ptr [esp], ebp 1_2_00C60C9D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push edx; mov dword ptr [esp], ebx 1_2_00C60D7C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push edx; mov dword ptr [esp], 6DFF9726h 1_2_00C60DC4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00C60065 push 53FE468Eh; mov dword ptr [esp], edi 1_2_00C60E8A
Source: file.exe Static PE information: section name: entropy: 7.982390407812277
Source: file.exe Static PE information: section name: zrjduasp entropy: 7.953168337560915

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE4411 second address: AE4415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE4415 second address: AE441F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FB5F8D48006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE441F second address: AE3CF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48ABCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FB5F8D48AC5h 0x00000011 push dword ptr [ebp+122D0445h] 0x00000017 cld 0x00000018 call dword ptr [ebp+122D374Ch] 0x0000001e pushad 0x0000001f pushad 0x00000020 jmp 00007FB5F8D48AC4h 0x00000025 pushad 0x00000026 stc 0x00000027 jmp 00007FB5F8D48AC5h 0x0000002c popad 0x0000002d popad 0x0000002e mov dword ptr [ebp+122D1860h], edx 0x00000034 xor eax, eax 0x00000036 jmp 00007FB5F8D48AC7h 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f jmp 00007FB5F8D48AC0h 0x00000044 mov dword ptr [ebp+122D3C0Dh], eax 0x0000004a or dword ptr [ebp+122D19F9h], esi 0x00000050 mov esi, 0000003Ch 0x00000055 clc 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a mov dword ptr [ebp+122D3436h], eax 0x00000060 lodsw 0x00000062 jmp 00007FB5F8D48ABFh 0x00000067 mov dword ptr [ebp+122D1860h], ecx 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jnp 00007FB5F8D48AB7h 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b cld 0x0000007c push eax 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE3CF5 second address: AE3CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64A21 second address: C64A35 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB5F8D48ABAh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64D05 second address: C64D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5F8D4800Bh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64D16 second address: C64D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6525E second address: C65262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C65262 second address: C65270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FB5F8D48ABCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C65270 second address: C65289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB5F8D4800Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C678AB second address: AE3CF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 7C4553E5h 0x00000010 push dword ptr [ebp+122D0445h] 0x00000016 mov edx, dword ptr [ebp+122D3ACDh] 0x0000001c mov edx, ecx 0x0000001e call dword ptr [ebp+122D374Ch] 0x00000024 pushad 0x00000025 pushad 0x00000026 jmp 00007FB5F8D48AC4h 0x0000002b pushad 0x0000002c stc 0x0000002d jmp 00007FB5F8D48AC5h 0x00000032 popad 0x00000033 popad 0x00000034 mov dword ptr [ebp+122D1860h], edx 0x0000003a xor eax, eax 0x0000003c jmp 00007FB5F8D48AC7h 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 jmp 00007FB5F8D48AC0h 0x0000004a mov dword ptr [ebp+122D3C0Dh], eax 0x00000050 or dword ptr [ebp+122D19F9h], esi 0x00000056 mov esi, 0000003Ch 0x0000005b clc 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D3436h], eax 0x00000066 lodsw 0x00000068 jmp 00007FB5F8D48ABFh 0x0000006d mov dword ptr [ebp+122D1860h], ecx 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 jnp 00007FB5F8D48AB7h 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 cld 0x00000082 push eax 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67959 second address: C67988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 jnp 00007FB5F8D48006h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007FB5F8D4800Bh 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67988 second address: C67992 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB5F8D48ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67992 second address: C679D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 sub dword ptr [ebp+122D3436h], edx 0x0000000d push 00000003h 0x0000000f mov dword ptr [ebp+122D19F9h], esi 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 mov ecx, dword ptr [ebp+122D3AF5h] 0x0000001e pop edx 0x0000001f push 00000003h 0x00000021 mov dword ptr [ebp+122D36A6h], ecx 0x00000027 jmp 00007FB5F8D4800Dh 0x0000002c push E24F249Fh 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FB5F8D4800Ah 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C679D7 second address: C67A6C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB5F8D48AB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 224F249Fh 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FB5F8D48AB8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b lea ebx, dword ptr [ebp+1245778Eh] 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007FB5F8D48AB8h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b mov ecx, 45C01C8Dh 0x00000050 xchg eax, ebx 0x00000051 jg 00007FB5F8D48ACFh 0x00000057 push eax 0x00000058 jbe 00007FB5F8D48AD0h 0x0000005e pushad 0x0000005f jmp 00007FB5F8D48AC2h 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67AC6 second address: C67AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007FB5F8D48006h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB5F8D48010h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67AE5 second address: C67BC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D5C33h], ebx 0x00000010 push 00000000h 0x00000012 adc ecx, 7D12994Dh 0x00000018 push 08F7BFF7h 0x0000001d jmp 00007FB5F8D48AC0h 0x00000022 xor dword ptr [esp], 08F7BF77h 0x00000029 mov dword ptr [ebp+122D34F5h], edi 0x0000002f push 00000003h 0x00000031 jmp 00007FB5F8D48AC3h 0x00000036 pushad 0x00000037 jng 00007FB5F8D48ABBh 0x0000003d mov eax, 54554300h 0x00000042 popad 0x00000043 push 00000000h 0x00000045 mov dword ptr [ebp+122D3693h], eax 0x0000004b push 00000003h 0x0000004d and edx, dword ptr [ebp+122D390Dh] 0x00000053 call 00007FB5F8D48AB9h 0x00000058 jmp 00007FB5F8D48AC6h 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 jne 00007FB5F8D48AB6h 0x00000066 pop eax 0x00000067 jmp 00007FB5F8D48AC8h 0x0000006c popad 0x0000006d mov eax, dword ptr [esp+04h] 0x00000071 jnc 00007FB5F8D48AC2h 0x00000077 mov eax, dword ptr [eax] 0x00000079 jnp 00007FB5F8D48AC4h 0x0000007f push eax 0x00000080 push edx 0x00000081 push eax 0x00000082 pop eax 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67BC7 second address: C67BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67C6C second address: C67CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FB5F8D48AB8h 0x0000000b popad 0x0000000c nop 0x0000000d call 00007FB5F8D48ABCh 0x00000012 sub dword ptr [ebp+122D3444h], ebx 0x00000018 pop edx 0x00000019 push 00000000h 0x0000001b js 00007FB5F8D48AC3h 0x00000021 call 00007FB5F8D48AB9h 0x00000026 pushad 0x00000027 push edx 0x00000028 jbe 00007FB5F8D48AB6h 0x0000002e pop edx 0x0000002f jmp 00007FB5F8D48ABFh 0x00000034 popad 0x00000035 push eax 0x00000036 jmp 00007FB5F8D48ABCh 0x0000003b mov eax, dword ptr [esp+04h] 0x0000003f jmp 00007FB5F8D48AC3h 0x00000044 mov eax, dword ptr [eax] 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push edi 0x0000004b pop edi 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67CF1 second address: C67CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67CF7 second address: C67D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FB5F8D48AB8h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67D1C second address: C67D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8747C second address: C87493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB5F8D48ABEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C87493 second address: C87497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C50B63 second address: C50B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85266 second address: C85278 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85278 second address: C8527E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8527E second address: C85282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85282 second address: C85286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8555E second address: C85562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C856E3 second address: C856E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85892 second address: C858A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB5F8D4800Ah 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C858A7 second address: C858AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C858AD second address: C858B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85A0D second address: C85A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85CEF second address: C85CFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85CFD second address: C85D33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FB5F8D48AC8h 0x00000011 jmp 00007FB5F8D48AC2h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85EA6 second address: C85EAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85EAE second address: C85EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85EB4 second address: C85EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D4800Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85EC5 second address: C85ED7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48ABEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85ED7 second address: C85EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85EE0 second address: C85EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48AC8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C861EE second address: C861F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C861F2 second address: C86230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48ABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007FB5F8D48AC1h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 jmp 00007FB5F8D48AC5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7CFA1 second address: C7CFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86C77 second address: C86CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FB5F8D48AB8h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 push edx 0x00000015 ja 00007FB5F8D48AB6h 0x0000001b jmp 00007FB5F8D48AC7h 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C87288 second address: C87293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB5F8D48006h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C87293 second address: C872B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C872B4 second address: C872D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D4800Ch 0x00000009 jl 00007FB5F8D48006h 0x0000000f popad 0x00000010 push edi 0x00000011 jl 00007FB5F8D48006h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C872D4 second address: C872D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C872D9 second address: C872F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB5F8D48012h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88A83 second address: C88A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88A8A second address: C88A91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C240 second address: C8C244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8EE36 second address: C8EE40 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB5F8D4800Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8EE40 second address: C8EE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB5F8D48ABCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C52606 second address: C5260C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5260C second address: C52629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB5F8D48AC8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C52629 second address: C5262E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92689 second address: C9268D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9280D second address: C9281C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9281C second address: C92837 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FB5F8D48AC5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92E02 second address: C92E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92F5B second address: C92F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FB5F8D48AC5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92F7A second address: C92F84 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB5F8D48006h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C94C4E second address: C94C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C94C54 second address: C94C66 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FB5F8D48006h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C94C66 second address: C94C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C94CC2 second address: C94CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 xor dword ptr [esp], 5D25A757h 0x0000000c mov edi, dword ptr [ebp+122D3AE1h] 0x00000012 push 481A4485h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95285 second address: C9528B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95887 second address: C9588D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9588D second address: C95891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95B51 second address: C95B82 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB5F8D4800Ch 0x00000008 jns 00007FB5F8D48006h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jl 00007FB5F8D48025h 0x00000017 pushad 0x00000018 jmp 00007FB5F8D48017h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95D45 second address: C95D4F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5F8D48AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95EAF second address: C95EE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FB5F8D48008h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95EE2 second address: C95EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95EE6 second address: C95EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9647D second address: C96481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96DBC second address: C96DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96DC0 second address: C96DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C97D0A second address: C97D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FB5F8D48008h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov esi, 51DB79B5h 0x00000028 push 00000000h 0x0000002a jmp 00007FB5F8D4800Ch 0x0000002f push 00000000h 0x00000031 add dword ptr [ebp+122D2F6Bh], edx 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C97D52 second address: C97D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C98867 second address: C9886C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9886C second address: C9887F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FB5F8D48ABCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9887F second address: C98883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C98883 second address: C9888E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FB5F8D48AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99276 second address: C9928F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48015h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9928F second address: C99295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99295 second address: C99299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99299 second address: C9929D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99DBA second address: C99E2D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB5F8D4800Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jmp 00007FB5F8D48017h 0x00000011 pop ecx 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FB5F8D48008h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D17C1h], edx 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D3B55h] 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push edi 0x00000042 pop edi 0x00000043 jmp 00007FB5F8D48011h 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9AA6D second address: C9AA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B580 second address: C9B5F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FB5F8D48008h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov esi, 718DC752h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FB5F8D48008h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 sub dword ptr [ebp+12457E73h], ebx 0x0000004b xchg eax, ebx 0x0000004c jno 00007FB5F8D48010h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 je 00007FB5F8D48006h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B5F4 second address: C9B5FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0B6E second address: CA0B81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D4800Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0B81 second address: CA0B93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB5F8D48ABDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2945 second address: CA294B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA294B second address: CA294F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA47DB second address: CA47DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA760F second address: CA7613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA7613 second address: CA7619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA7619 second address: CA761F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA761F second address: CA7623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA7623 second address: CA7664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FB5F8D48AB8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 xor bx, 5A59h 0x0000002a push 00000000h 0x0000002c mov ebx, dword ptr [ebp+122D1A38h] 0x00000032 push 00000000h 0x00000034 mov ebx, dword ptr [ebp+122D3979h] 0x0000003a push eax 0x0000003b pushad 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA84A7 second address: CA84C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D4800Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FB5F8D48006h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA84C0 second address: CA84DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FB5F8D48AC0h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA84DE second address: CA84E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA94D1 second address: CA94D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA94D7 second address: CA94FB instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB5F8D48006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB5F8D48014h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAB50D second address: CAB567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D3A11h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FB5F8D48AB8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 pop edi 0x00000033 push eax 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FB5F8D48AC9h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAC456 second address: CAC4C9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB5F8D48008h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007FB5F8D48015h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FB5F8D48008h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c sub dword ptr [ebp+124665A0h], edx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D2A56h], edx 0x0000003a jmp 00007FB5F8D48019h 0x0000003f xchg eax, esi 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push ecx 0x00000045 pop ecx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAC4C9 second address: CAC4CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAC4CD second address: CAC4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAC4D3 second address: CAC4FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD43E second address: CAD4A3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007FB5F8D48006h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FB5F8D48008h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push ebx 0x00000028 pushad 0x00000029 mov edi, dword ptr [ebp+122D34FDh] 0x0000002f ja 00007FB5F8D48006h 0x00000035 popad 0x00000036 pop edi 0x00000037 clc 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007FB5F8D48008h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 push 00000000h 0x00000056 mov ebx, edx 0x00000058 xchg eax, esi 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD4A3 second address: CAD4A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF59C second address: CAF5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF5A0 second address: CAF5A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB28E3 second address: CB28EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF76E second address: CAF77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF77C second address: CAF781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF86D second address: CAF887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48AC2h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF887 second address: CAF88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C710 second address: C5C73C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB5F8D48AB6h 0x00000008 jmp 00007FB5F8D48AC4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FB5F8D48AB8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C73C second address: C5C740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C740 second address: C5C744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA719 second address: CBA721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA721 second address: CBA74A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB5F8D48ABDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA8A4 second address: CBA8A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA8A8 second address: CBA8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB5F8D48AB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA8B6 second address: CBA8BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC06AB second address: CC06BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FB5F8D48AB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC06BC second address: CC06D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48014h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC0940 second address: AE3CF5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 22065FE3h 0x0000000f jnl 00007FB5F8D48ACCh 0x00000015 jmp 00007FB5F8D48AC6h 0x0000001a push dword ptr [ebp+122D0445h] 0x00000020 pushad 0x00000021 mov ax, bx 0x00000024 jmp 00007FB5F8D48ABFh 0x00000029 popad 0x0000002a call dword ptr [ebp+122D374Ch] 0x00000030 pushad 0x00000031 pushad 0x00000032 jmp 00007FB5F8D48AC4h 0x00000037 pushad 0x00000038 stc 0x00000039 jmp 00007FB5F8D48AC5h 0x0000003e popad 0x0000003f popad 0x00000040 mov dword ptr [ebp+122D1860h], edx 0x00000046 xor eax, eax 0x00000048 jmp 00007FB5F8D48AC7h 0x0000004d mov edx, dword ptr [esp+28h] 0x00000051 jmp 00007FB5F8D48AC0h 0x00000056 mov dword ptr [ebp+122D3C0Dh], eax 0x0000005c or dword ptr [ebp+122D19F9h], esi 0x00000062 mov esi, 0000003Ch 0x00000067 clc 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D3436h], eax 0x00000072 lodsw 0x00000074 jmp 00007FB5F8D48ABFh 0x00000079 mov dword ptr [ebp+122D1860h], ecx 0x0000007f add eax, dword ptr [esp+24h] 0x00000083 jnp 00007FB5F8D48AB7h 0x00000089 mov ebx, dword ptr [esp+24h] 0x0000008d cld 0x0000008e push eax 0x0000008f pushad 0x00000090 push eax 0x00000091 push edx 0x00000092 push eax 0x00000093 push edx 0x00000094 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC5564 second address: CC5568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC5568 second address: CC556E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC41C8 second address: CC41E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48012h 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007FB5F8D48006h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4836 second address: CC483A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4B33 second address: CC4B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4B39 second address: CC4B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4B3F second address: CC4B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4DD2 second address: CC4DEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4DEC second address: CC4E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jno 00007FB5F8D48006h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FB5F8D48006h 0x00000016 jg 00007FB5F8D48006h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4E08 second address: CC4E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4F7C second address: CC4FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48012h 0x00000009 jmp 00007FB5F8D4800Dh 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FB5F8D4801Eh 0x00000018 jmp 00007FB5F8D48016h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 popad 0x00000022 pop eax 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC52B8 second address: CC52CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FB5F8D48AB6h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jng 00007FB5F8D48AB6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC95C1 second address: CC95C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC95C5 second address: CC95CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC95CB second address: CC95D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC95D5 second address: CC95D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC99F3 second address: CC9A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB5F8D48006h 0x0000000a popad 0x0000000b js 00007FB5F8D4800Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9100 second address: CC911A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FB5F8D48AB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC911A second address: CC911E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC911E second address: CC9124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9E3B second address: CC9E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9E41 second address: CC9E4D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB5F8D48AB6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9E4D second address: CC9E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB5F8D4800Bh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCE5B7 second address: CCE5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FB5F8D48AC1h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCE5D6 second address: CCE5E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5F8D4800Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEB7B second address: CCEB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEB81 second address: CCEB87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEE56 second address: CCEE62 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB5F8D48AB6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEFF1 second address: CCEFF7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEFF7 second address: CCF009 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCF2DD second address: CCF2F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB5F8D48015h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9DD96 second address: C7CFA1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB5F8D48ABEh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FB5F8D48AB8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 jmp 00007FB5F8D48AC2h 0x0000002b call dword ptr [ebp+122D36BBh] 0x00000031 jmp 00007FB5F8D48AC7h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b jmp 00007FB5F8D48AC3h 0x00000040 jg 00007FB5F8D48AB6h 0x00000046 popad 0x00000047 pushad 0x00000048 jne 00007FB5F8D48AB6h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9DFAF second address: C9DFB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB5F8D48006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E4B9 second address: C9E4DB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB5F8D48ABCh 0x00000008 jno 00007FB5F8D48AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB5F8D48ABEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E75B second address: C9E75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E75F second address: C9E765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E765 second address: C9E769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EE14 second address: C9EE19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F0C0 second address: C9F0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6939 second address: CD6947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6947 second address: CD6985 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5F8D48017h 0x00000008 jo 00007FB5F8D48006h 0x0000000e jmp 00007FB5F8D4800Bh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 jmp 00007FB5F8D48010h 0x0000001d pop eax 0x0000001e jmp 00007FB5F8D4800Fh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6D83 second address: CD6D9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6D9B second address: CD6DB2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB5F8D4800Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6DB2 second address: CD6DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FB5F8D48AC7h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6DCE second address: CD6DD8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5F8D48012h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD722C second address: CD7232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7232 second address: CD723E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD723E second address: CD7242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB4E1 second address: CDB4F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D4800Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD8A5 second address: CDD8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55C06 second address: C55C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55C0A second address: C55C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jng 00007FB5F8D48AB6h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD35E second address: CDD362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD362 second address: CDD366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD4AF second address: CDD4B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD4B8 second address: CDD4CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48ABCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD4CE second address: CDD4D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD4D4 second address: CDD4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FB5F8D48ACDh 0x0000000c jmp 00007FB5F8D48AC1h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD4F3 second address: CDD4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE0338 second address: CE0359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jne 00007FB5F8D48ACCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE551C second address: CE5521 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5521 second address: CE5533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48ABAh 0x00000009 pop edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4BE5 second address: CE4C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jne 00007FB5F8D4800Ah 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FB5F8D4800Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4EA7 second address: CE4EB5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB5F8D48AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4EB5 second address: CE4EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4EBB second address: CE4EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4EBF second address: CE4EC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4EC3 second address: CE4EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4EC9 second address: CE4ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4ECE second address: CE4ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE51CE second address: CE51D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE51D2 second address: CE51DC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB5F8D48AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE51DC second address: CE51E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE51E8 second address: CE51EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE51EC second address: CE51F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA936 second address: CEA942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB5F8D48AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA942 second address: CEA970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FB5F8D4801Fh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FB5F8D48006h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA970 second address: CEA974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4F049 second address: C4F065 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB5F8D48013h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4F065 second address: C4F078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop ecx 0x00000008 jl 00007FB5F8D48AD2h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9444 second address: CE9448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9997 second address: CE999E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE999E second address: CE99A8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB5F8D4800Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE99A8 second address: CE99B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE99B0 second address: CE99B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9C75 second address: CE9C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9C79 second address: CE9C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FB5F8D4801Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEE504 second address: CEE52F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB5F8D48AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB5F8D48AC3h 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 jnl 00007FB5F8D48AB6h 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEE52F second address: CEE548 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jnl 00007FB5F8D4800Ch 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEE548 second address: CEE556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEED3F second address: CEED45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4136 second address: CF413A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF413A second address: CF4152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB5F8D4800Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4900 second address: CF4930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB5F8D48AB6h 0x0000000a popad 0x0000000b je 00007FB5F8D48ABEh 0x00000011 pushad 0x00000012 jl 00007FB5F8D48AB6h 0x00000018 jmp 00007FB5F8D48ABEh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4C5B second address: CF4C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4C68 second address: CF4C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4C6E second address: CF4C94 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB5F8D48006h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB5F8D48018h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4C94 second address: CF4C9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4C9A second address: CF4CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5586 second address: CF558B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF558B second address: CF5591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5591 second address: CF5595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5806 second address: CF581E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48012h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF581E second address: CF5823 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5823 second address: CF582C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF582C second address: CF5832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5832 second address: CF5836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5836 second address: CF583A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5DEF second address: CF5DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB5F8D48006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5DF9 second address: CF5DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5DFD second address: CF5E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF9EDE second address: CF9EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB5F8D48AC5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFA1AE second address: CFA1BE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB5F8D48006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFA1BE second address: CFA1C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFA1C2 second address: CFA1D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D4800Bh 0x00000007 jns 00007FB5F8D48006h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFA31D second address: CFA321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D00526 second address: D0053B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48011h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0053B second address: D00544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0934A second address: D09366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D4800Ch 0x00000009 popad 0x0000000a push ebx 0x0000000b jbe 00007FB5F8D48006h 0x00000011 pop ebx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07594 second address: D075B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48ABCh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FB5F8D48AB6h 0x00000012 jp 00007FB5F8D48AB6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D075B3 second address: D075B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D075B9 second address: D075C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FB5F8D48AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D076EB second address: D076F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D076F1 second address: D07729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB5F8D48AC6h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB5F8D48AC8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07729 second address: D0772D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08250 second address: D08254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08254 second address: D08278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48015h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c je 00007FB5F8D48006h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D083C7 second address: D083D1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB5F8D48AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D083D1 second address: D083DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FB5F8D4800Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D083DF second address: D0840F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FB5F8D48ABAh 0x0000000b jbe 00007FB5F8D48AB8h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FB5F8D48AC2h 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0840F second address: D08413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08413 second address: D08417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D091C7 second address: D091CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07179 second address: D07181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5FBAC second address: C5FBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB5F8D48017h 0x0000000a pop esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB5F8D48017h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5FBE5 second address: C5FBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D208B4 second address: D208BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D208BA second address: D208CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FB5F8D48AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007FB5F8D48AC2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D208CE second address: D208D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D208D4 second address: D208D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D208D8 second address: D208DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D25747 second address: D25755 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB5F8D48AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D298A0 second address: D298B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB5F8D48006h 0x0000000a jnc 00007FB5F8D48006h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D315E2 second address: D31617 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FB5F8D48ABBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB5F8D48AC8h 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FB5F8D48ABAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34729 second address: D34741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48014h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D394C3 second address: D394CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D397C2 second address: D397C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D398F6 second address: D39900 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB5F8D48AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39900 second address: D39930 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB5F8D48015h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB5F8D4800Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39930 second address: D3994D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3994D second address: D39958 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007FB5F8D48006h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39AC3 second address: D39AEE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB5F8D48AB6h 0x00000008 jns 00007FB5F8D48AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jng 00007FB5F8D48AB8h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB5F8D48ABEh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39AEE second address: D39AFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39AFA second address: D39AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39AFE second address: D39B08 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5F8D48006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39B08 second address: D39B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A801 second address: D3A83C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48015h 0x00000007 jmp 00007FB5F8D48014h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e ja 00007FB5F8D48012h 0x00000014 jg 00007FB5F8D48006h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F228 second address: D3F22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F22C second address: D3F232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F232 second address: D3F237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F237 second address: D3F23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3EDFF second address: D3EE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4CCDD second address: D4CCE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4CCE3 second address: D4CCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F802 second address: D4F806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F806 second address: D4F80A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F80A second address: D4F81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB5F8D48006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F81A second address: D4F820 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F820 second address: D4F83F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB5F8D48008h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB5F8D4800Bh 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F83F second address: D4F85A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB5F8D48ABEh 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jl 00007FB5F8D48AB6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50E19 second address: D50E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FB5F8D48006h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5DAAC second address: D5DAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5DAB0 second address: D5DAD2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB5F8D48006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FB5F8D4800Fh 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5DAD2 second address: D5DADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5DADA second address: D5DAEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5F8D48010h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5D953 second address: D5D96D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB5F8D48AC2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5D96D second address: D5D973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5D973 second address: D5D977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D601C5 second address: D601C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D601C9 second address: D601DF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB5F8D48ABBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D601DF second address: D601E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D601E3 second address: D60204 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007FB5F8D48AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FB5F8D48ABDh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D60204 second address: D60208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78A9E second address: D78AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78AA7 second address: D78AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78AAE second address: D78AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78AB4 second address: D78ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78ABA second address: D78ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78ABE second address: D78AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78C0F second address: D78C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5F8D48AC3h 0x00000009 pop edi 0x0000000a jmp 00007FB5F8D48AC3h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78C3D second address: D78C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78C43 second address: D78C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79359 second address: D7935D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7935D second address: D7936F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jc 00007FB5F8D48AB6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7936F second address: D7937B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB5F8D48006h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7937B second address: D793A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB5F8D48AC7h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FB5F8D48AB6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79696 second address: D7969C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7969C second address: D796A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7DCF9 second address: D7DD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7DD06 second address: D7DD0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E1F5 second address: D7E20C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5F8D48013h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E20C second address: D7E210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E210 second address: D7E289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB5F8D48015h 0x0000000e nop 0x0000000f jmp 00007FB5F8D4800Ch 0x00000014 mov edx, dword ptr [ebp+122D3A8Dh] 0x0000001a push dword ptr [ebp+122D2E39h] 0x00000020 or dword ptr [ebp+122D2A50h], edx 0x00000026 call 00007FB5F8D48009h 0x0000002b jo 00007FB5F8D4800Eh 0x00000031 jns 00007FB5F8D48008h 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a jmp 00007FB5F8D48019h 0x0000003f pop eax 0x00000040 jo 00007FB5F8D4800Ch 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E289 second address: D7E2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FB5F8D48AC2h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E2B2 second address: D7E2CB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB5F8D4800Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E2CB second address: D7E2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0C2E second address: 53E0C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0C34 second address: 53E0C50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a pushad 0x0000000b mov di, 2CA0h 0x0000000f popad 0x00000010 jns 00007FB5F8D48B19h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0C50 second address: 53E0C6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48018h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0C6C second address: 53E0C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0C72 second address: 53E0C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0C76 second address: 53E0CC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add eax, ecx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FB5F8D48ABBh 0x00000011 and cx, 9EDEh 0x00000016 jmp 00007FB5F8D48AC9h 0x0000001b popfd 0x0000001c popad 0x0000001d mov eax, dword ptr [eax+00000860h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FB5F8D48ABDh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0CC2 second address: 53E0CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0CC8 second address: 53E0CFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5F8D48AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB5F8D48AC5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0CFA second address: 53E0D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5F8D4800Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E0D0A second address: 53E0D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AE3CB2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AE3D1C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C8A8BA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AE11B6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CB2920 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 2740 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000001.00000002.2230266283.0000000000C6C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000003.2219908926.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2231066264.00000000015BD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWYF"
Source: file.exe, 00000001.00000002.2231066264.00000000015DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2219908926.00000000015DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.2231007768.000000000155E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0o\
Source: file.exe, 00000001.00000002.2230266283.0000000000C6C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AC5BB0 LdrInitializeThunk, 1_2_00AC5BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: bathdoomgaz.stor
Source: file.exe String found in binary or memory: spirittunek.stor
Source: file.exe String found in binary or memory: dissapoiznw.stor
Source: file.exe String found in binary or memory: studennotediw.stor
Source: file.exe String found in binary or memory: mobbipenju.stor
Source: file.exe String found in binary or memory: eaglepawnoy.stor
Source: file.exe, file.exe, 00000001.00000002.2230266283.0000000000C6C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Program Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528876 Sample: file.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 10 studennotediw.store 2->10 12 spirittunek.store 2->12 14 8 other IPs or domains 2->14 20 Multi AV Scanner detection for domain / URL 2->20 22 Suricata IDS alerts for network traffic 2->22 24 Found malware configuration 2->24 26 9 other signatures 2->26 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 sergei-esenin.com 104.21.53.8, 443, 49713 CLOUDFLARENETUS United States 6->16 18 steamcommunity.com 104.102.49.254, 443, 49711 AKAMAI-ASUS United States 6->18 28 Detected unpacking (changes PE section rights) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 Tries to evade debugger and weak emulator (self modifying code) 6->32 34 4 other signatures 6->34 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
sergei-esenin.com 104.21.53.8 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
dissapoiznw.storec true
    		unknown
    https://steamcommunity.com/profiles/76561199724331900 true
    • URL Reputation: malware
    		 unknown
    eaglepawnoy.storec true
      		unknown
      spirittunek.storec true
        		unknown
        studennotediw.storec true
          		unknown
          licendfilteo.sitec true
            		unknown
            clearancek.site true
              		unknown
              bathdoomgaz.storec true
                		unknown
                mobbipenju.store true
                  		unknown
                  https://sergei-esenin.com/api true
                    		unknown