Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1531613
MD5: d28a43b3dbce6278477cc5696847850a
SHA1: 9e50e7ced4ac3ceecca11afaa981e036cd4b84cf
SHA256: 88131cc60d069d251c658a32f17720e443fe37de43eb4b4fbae6500d6e388b5f
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com:443/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: file.exe.2096.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["eaglepawnoy.store", "clearancek.site", "dissapoiznw.store", "studennotediw.store", "bathdoomgaz.store", "mobbipenju.store", "licendfilteo.site", "spirittunek.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 53% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.store
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.store
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.store
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.store
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.store
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.store
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2148035198.0000000000B91000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49711 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00BD50FA
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00B9D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00B9D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_00BD63B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00BD99D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_00BD695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00B9FCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00BA0EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00BD6094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_00BCF030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00BA6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_00B91000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00BD4040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_00BBD1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00BA42FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00BB2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_00BB2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00BC23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00BC23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00BC23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00BC23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00BC23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_00BC23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_00B9A300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_00BD64B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_00BAB410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00BBE40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_00BBC470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00BAD457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_00BD1440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 0_2_00B98590
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00BA6536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_00BD7520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00BB9510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00BBE66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00BCB650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00BBD7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_00BD67EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_00BD7710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00BD5700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00BB28E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_00B949A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_00BD3920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_00BAD961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00BA1ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00BA1A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00B95A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00BD4A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00BC0B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00BA1BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00BA3BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_00BADB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_00BADB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00BD9B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00BBAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_00BBAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00BD9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_00BD9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_00BBCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00BBCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_00BBCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_00BCFC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00BB7C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_00BBEC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00BD8D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00BBDD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_00BBFD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_00BA6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_00B9BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_00B96EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00BA1E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_00BA4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00BB5E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00BB7E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_00BBAE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00BA6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_00BAFFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00B98FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00BD5FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_00BD7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00BD7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00BCFF70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00BB9F62

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:60471 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:54497 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:65535 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:62364 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:56078 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:53159 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:58534 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:56538 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49710 -> 23.192.247.89:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49711 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: spirittunek.store
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.192.247.89 23.192.247.89
Source: Joe Sandbox View IP Address: 172.67.206.204 172.67.206.204
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ww.youtube.com https://www.google.com https://sketchfab.com https://playT equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000002.2148763674.000000000168A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.2148763674.000000000168A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2148763674.000000000168A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000002.2148574776.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/apiT
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akam
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2148574776.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apii
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.2148763674.000000000168A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hf
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aU
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=IZH_ONwLX4kw&l=e
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampo
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowe
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.2148574776.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiY
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apib
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apif
Source: file.exe, 00000000.00000002.2148574776.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/i
Source: file.exe, 00000000.00000002.2148574776.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.2148574776.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.f
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.2148763674.000000000168A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000002.2148763674.000000000168A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2148574776.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persis
Source: file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.2148763674.000000000168A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.stx
Source: file.exe, 00000000.00000002.2148574776.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147642933.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2137923043.0000000001678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147609286.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2137990496.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA0228 0_2_00BA0228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDA0D0 0_2_00BDA0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA2030 0_2_00BA2030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B91000 0_2_00B91000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD4040 0_2_00BD4040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9E1A0 0_2_00B9E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 0_2_00D621F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B971F0 0_2_00B971F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B95160 0_2_00B95160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D372DB 0_2_00D372DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DCF2C9 0_2_00DCF2C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5B2E9 0_2_00D5B2E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D6029E 0_2_00D6029E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B912F7 0_2_00B912F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C9A298 0_2_00C9A298
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D51280 0_2_00D51280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC82D0 0_2_00BC82D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC12D0 0_2_00BC12D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C3E201 0_2_00C3E201
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9B3A0 0_2_00B9B3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B913A3 0_2_00B913A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC23E0 0_2_00BC23E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D56366 0_2_00D56366
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9A300 0_2_00B9A300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA049B 0_2_00BA049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA4487 0_2_00BA4487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC64F0 0_2_00BC64F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D644B4 0_2_00D644B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D4246F 0_2_00D4246F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBC470 0_2_00BBC470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B935B0 0_2_00B935B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98590 0_2_00B98590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAC5F0 0_2_00BAC5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D4E535 0_2_00D4E535
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD86F0 0_2_00BD86F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DCF688 0_2_00DCF688
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCF620 0_2_00BCF620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD8652 0_2_00BD8652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9164F 0_2_00B9164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCE8A0 0_2_00BCE8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CA38EA 0_2_00CA38EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCB8C0 0_2_00BCB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5E81F 0_2_00D5E81F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC1860 0_2_00BC1860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9A850 0_2_00B9A850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD89A0 0_2_00BD89A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB098B 0_2_00BB098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D4C927 0_2_00D4C927
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5992A 0_2_00D5992A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD7AB0 0_2_00BD7AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD8A80 0_2_00BD8A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD4A40 0_2_00BD4A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B97BF0 0_2_00B97BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BADB6F 0_2_00BADB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD6CBF 0_2_00BD6CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBCCD0 0_2_00BBCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD8C02 0_2_00BD8C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBDD29 0_2_00BBDD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBFD10 0_2_00BBFD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB8D62 0_2_00BB8D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA6EBF 0_2_00BA6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9BEB0 0_2_00B9BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA4E2A 0_2_00BA4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5CE41 0_2_00D5CE41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD8E70 0_2_00BD8E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D52E0D 0_2_00D52E0D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBAE57 0_2_00BBAE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98FD0 0_2_00B98FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD7FC0 0_2_00BD7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9AF10 0_2_00B9AF10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00BAD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00B9CAA0 appears 48 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994714315181518
Source: file.exe Static PE information: Section: ulxmnlbd ZLIB complexity 0.9945931639443436
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@10/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC8220 CoCreateInstance, 0_2_00BC8220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe Virustotal: Detection: 53%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 1863168 > 1048576
Source: file.exe Static PE information: Raw size of ulxmnlbd is bigger than: 0x100000 < 0x19d400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.b90000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ulxmnlbd:EW;llihilhx:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ulxmnlbd:EW;llihilhx:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1d2b2f should be: 0x1c7ca7
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: ulxmnlbd
Source: file.exe Static PE information: section name: llihilhx
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D1A0C3 push 17287D85h; mov dword ptr [esp], edi 0_2_00D1A117
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D1A0C3 push ecx; mov dword ptr [esp], edi 0_2_00D1A18A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E400C2 push 131A4790h; mov dword ptr [esp], edx 0_2_00E400EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E400C2 push 3AC60D22h; mov dword ptr [esp], edx 0_2_00E40140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E820D1 push edi; mov dword ptr [esp], ebx 0_2_00E820DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E45060 push 57CFA0B7h; mov dword ptr [esp], ecx 0_2_00E45074
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E45060 push ebx; mov dword ptr [esp], edx 0_2_00E4514C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E45060 push edx; mov dword ptr [esp], ebp 0_2_00E451A2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE7043 push 6E21B3CEh; mov dword ptr [esp], edi 0_2_00DE709A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DD7079 push 00F0ED1Ch; mov dword ptr [esp], ebp 0_2_00DD7091
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E31059 push ebx; mov dword ptr [esp], ebp 0_2_00E3107D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DF6064 push ebp; mov dword ptr [esp], ebx 0_2_00DF60E5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE4011 push esi; mov dword ptr [esp], edx 0_2_00DE4015
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push ecx; mov dword ptr [esp], 0A7774A7h 0_2_00D62224
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push edi; mov dword ptr [esp], 1AB94CBDh 0_2_00D62232
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push esi; mov dword ptr [esp], 55BFC2A1h 0_2_00D62389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push edi; mov dword ptr [esp], edx 0_2_00D623E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push ecx; mov dword ptr [esp], edx 0_2_00D623FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push ebp; mov dword ptr [esp], ebx 0_2_00D62416
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push ebp; mov dword ptr [esp], 41BDA180h 0_2_00D6249F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push 73209117h; mov dword ptr [esp], esi 0_2_00D62543
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push 6A1879D2h; mov dword ptr [esp], ecx 0_2_00D62553
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push edx; mov dword ptr [esp], 47E721BEh 0_2_00D62557
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push 53593201h; mov dword ptr [esp], eax 0_2_00D6257B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push 79690466h; mov dword ptr [esp], edx 0_2_00D625A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push 15585F18h; mov dword ptr [esp], esi 0_2_00D62602
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push edx; mov dword ptr [esp], eax 0_2_00D6261A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push edi; mov dword ptr [esp], eax 0_2_00D62648
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push edi; mov dword ptr [esp], ebx 0_2_00D626D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push ecx; mov dword ptr [esp], esi 0_2_00D626F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D621F2 push esi; mov dword ptr [esp], 277B896Bh 0_2_00D62751
Source: file.exe Static PE information: section name: entropy: 7.981198365212424
Source: file.exe Static PE information: section name: ulxmnlbd entropy: 7.9532776057509755

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF40A4 second address: BF38EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 jns 00007F9F24D1BA77h 0x0000000f push dword ptr [ebp+122D0E51h] 0x00000015 jmp 00007F9F24D1BA7Fh 0x0000001a cmc 0x0000001b call dword ptr [ebp+122D2815h] 0x00000021 pushad 0x00000022 jc 00007F9F24D1BA89h 0x00000028 xor eax, eax 0x0000002a clc 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f jmp 00007F9F24D1BA84h 0x00000034 add dword ptr [ebp+122D1943h], ebx 0x0000003a mov dword ptr [ebp+122D34CEh], eax 0x00000040 jmp 00007F9F24D1BA80h 0x00000045 mov esi, 0000003Ch 0x0000004a jl 00007F9F24D1BA8Fh 0x00000050 pushad 0x00000051 jmp 00007F9F24D1BA81h 0x00000056 xor dword ptr [ebp+122D1943h], ecx 0x0000005c popad 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 jmp 00007F9F24D1BA88h 0x00000066 lodsw 0x00000068 add dword ptr [ebp+122D1943h], ecx 0x0000006e jng 00007F9F24D1BA84h 0x00000074 pushad 0x00000075 mov eax, dword ptr [ebp+122D34FAh] 0x0000007b jng 00007F9F24D1BA76h 0x00000081 popad 0x00000082 add eax, dword ptr [esp+24h] 0x00000086 jmp 00007F9F24D1BA7Bh 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f jno 00007F9F24D1BA82h 0x00000095 push eax 0x00000096 push edx 0x00000097 pushad 0x00000098 push eax 0x00000099 push edx 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6870A second address: D68732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F2573ED25h 0x00000009 pop ecx 0x0000000a ja 00007F9F2573ED1Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D689E8 second address: D689EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D68B87 second address: D68B97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F9F2573ED16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D68B97 second address: D68B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BA1F second address: D6BA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BA25 second address: D6BA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c jg 00007F9F24D1BA76h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jc 00007F9F24D1BA78h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F9F24D1BA85h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BAF2 second address: D6BAF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BAF6 second address: D6BB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 jmp 00007F9F24D1BA87h 0x0000000d push 00000000h 0x0000000f adc edi, 0AFC6941h 0x00000015 push 13FBD682h 0x0000001a pushad 0x0000001b jnp 00007F9F24D1BA83h 0x00000021 jmp 00007F9F24D1BA7Dh 0x00000026 push ecx 0x00000027 push esi 0x00000028 pop esi 0x00000029 pop ecx 0x0000002a popad 0x0000002b xor dword ptr [esp], 13FBD602h 0x00000032 mov dword ptr [ebp+122D28F2h], esi 0x00000038 mov dword ptr [ebp+122D3062h], ebx 0x0000003e push 00000003h 0x00000040 jnp 00007F9F24D1BA82h 0x00000046 push 00000000h 0x00000048 mov dword ptr [ebp+122D1E9Ch], ecx 0x0000004e push 00000003h 0x00000050 or di, 0DA5h 0x00000055 push 6448B579h 0x0000005a je 00007F9F24D1BA80h 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BB7F second address: D6BBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 add dword ptr [esp], 5BB74A87h 0x0000000e mov dword ptr [ebp+122D2841h], ecx 0x00000014 lea ebx, dword ptr [ebp+1244B944h] 0x0000001a and esi, dword ptr [ebp+122D1BBDh] 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 jbe 00007F9F2573ED16h 0x0000002a pop ebx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BC16 second address: D6BC1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BE34 second address: D6BE38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BF27 second address: D6BF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BF2B second address: D6BF31 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BF31 second address: D6BF3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F9F24D1BA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BF3B second address: D6BF3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89618 second address: D8961C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89737 second address: D8974B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F2573ED1Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8989D second address: D898A7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9F24D1BA7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D898A7 second address: D898D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F2573ED1Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9F2573ED28h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D898D2 second address: D898F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F24D1BA87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89AA0 second address: D89AA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89AA8 second address: D89AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F9F24D1BA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89AB2 second address: D89AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89DB3 second address: D89DCF instructions: 0x00000000 rdtsc 0x00000002 je 00007F9F24D1BA76h 0x00000008 jmp 00007F9F24D1BA7Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89DCF second address: D89DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89DD3 second address: D89DE0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9F24D1BA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89DE0 second address: D89DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9F2573ED16h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F9F2573ED18h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A04A second address: D8A053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A1ED second address: D8A201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9F2573ED1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A201 second address: D8A23B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F24D1BA87h 0x00000008 jnp 00007F9F24D1BA76h 0x0000000e jmp 00007F9F24D1BA88h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A363 second address: D8A39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9F2573ED16h 0x0000000a popad 0x0000000b push edx 0x0000000c jmp 00007F9F2573ED22h 0x00000011 pop edx 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 jmp 00007F9F2573ED23h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A4C8 second address: D8A4E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F9F24D1BA76h 0x0000000f pop eax 0x00000010 jl 00007F9F24D1BA82h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A4E0 second address: D8A4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A4E6 second address: D8A4F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007F9F24D1BA76h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A4F2 second address: D8A532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9F2573ED24h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jnp 00007F9F2573ED2Bh 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F9F2573ED23h 0x0000001a push eax 0x0000001b jnc 00007F9F2573ED16h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A7E7 second address: D8A7FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d jo 00007F9F24D1BA7Eh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A7FE second address: D8A805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A805 second address: D8A80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A96A second address: D8A972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B055 second address: D8B059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B059 second address: D8B05F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B05F second address: D8B069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B069 second address: D8B06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B06F second address: D8B073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B073 second address: D8B077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B1EB second address: D8B1F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F9F24D1BA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B327 second address: D8B32D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B467 second address: D8B46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B729 second address: D8B733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9F2573ED16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B733 second address: D8B743 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F9F24D1BA78h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B743 second address: D8B749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F76F second address: D8F784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 js 00007F9F24D1BA84h 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F9F24D1BA76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8FBFD second address: D8FC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8FC03 second address: D8FC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8FF60 second address: D8FF65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90F89 second address: D90F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90F8F second address: D90F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9F2573ED16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90F9A second address: D90FA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D59471 second address: D59486 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9F2573ED16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007F9F2573ED16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D59486 second address: D5948C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D99335 second address: D99349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F2573ED20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D99349 second address: D9934E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D99AF1 second address: D99AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D99BEE second address: D99C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jbe 00007F9F24D1BA76h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9A129 second address: D9A12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9AA2D second address: D9AA33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B2F8 second address: D9B2FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9D81C second address: D9D896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 pushad 0x00000009 mov dword ptr [ebp+122D2900h], esi 0x0000000f and ebx, 284FCC10h 0x00000015 popad 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F9F24D1BA78h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F9F24D1BA78h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e sub dword ptr [ebp+122D20C7h], eax 0x00000054 xchg eax, ebx 0x00000055 jne 00007F9F24D1BA7Eh 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f je 00007F9F24D1BA76h 0x00000065 pop eax 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9D896 second address: D9D89B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E2CE second address: D9E2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9F4DD second address: D9F4E7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9F2573ED16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA021F second address: DA0233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F24D1BA7Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D55E41 second address: D55E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA78A5 second address: DA78AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA879F second address: DA87B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA7A0B second address: DA7A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA87B8 second address: DA87BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA7A0F second address: DA7A19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA7A19 second address: DA7A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9854 second address: DA9858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA8990 second address: DA8A30 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9F2573ED1Ch 0x00000008 jng 00007F9F2573ED16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 mov bx, di 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F9F2573ED18h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 mov bl, ah 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F9F2573ED18h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 00000018h 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 mov dword ptr [ebp+122D20C7h], ebx 0x0000005e mov eax, dword ptr [ebp+122D0039h] 0x00000064 pushad 0x00000065 mov di, si 0x00000068 mov ebx, dword ptr [ebp+122D35EAh] 0x0000006e popad 0x0000006f push FFFFFFFFh 0x00000071 jmp 00007F9F2573ED28h 0x00000076 push eax 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9A2F second address: DA9A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9A34 second address: DA9A39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DABA26 second address: DABA59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F9F24D1BA76h 0x0000000d jmp 00007F9F24D1BA89h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007F9F24D1BA76h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9A39 second address: DA9A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DABA59 second address: DABA5F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DADB1F second address: DADB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jp 00007F9F2573ED22h 0x0000000d pop esi 0x0000000e jnp 00007F9F2573ED47h 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F9F2573ED16h 0x0000001c jmp 00007F9F2573ED21h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DABC20 second address: DABC2A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9F24D1BA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DADB58 second address: DADB5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAE132 second address: DAE140 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9F24D1BA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAE140 second address: DAE144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAE144 second address: DAE1C1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9F24D1BA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e cmc 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F9F24D1BA78h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov bh, 51h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F9F24D1BA78h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jng 00007F9F24D1BA76h 0x00000053 jmp 00007F9F24D1BA85h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAE3C4 second address: DAE3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB40C6 second address: DB40CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB40CA second address: DB40D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB40D0 second address: DB414B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9F24D1BA8Fh 0x00000008 jmp 00007F9F24D1BA89h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F9F24D1BA85h 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F9F24D1BA78h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 js 00007F9F24D1BA7Ch 0x00000036 and edi, 5BDAA43Bh 0x0000003c push 00000000h 0x0000003e mov edi, dword ptr [ebp+122D3642h] 0x00000044 push 00000000h 0x00000046 cmc 0x00000047 xchg eax, esi 0x00000048 push ebx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB414B second address: DB4169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F2573ED22h 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB014E second address: DB0153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB328D second address: DB330D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9F2573ED16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F9F2573ED24h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edi, dword ptr [ebp+122D345Eh] 0x00000019 push dword ptr fs:[00000000h] 0x00000020 adc ebx, 6AE070F1h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d mov edi, dword ptr [ebp+122D355Ah] 0x00000033 mov eax, dword ptr [ebp+122D1659h] 0x00000039 mov dword ptr [ebp+122D197Dh], edi 0x0000003f mov dword ptr [ebp+122D1B9Ch], ecx 0x00000045 push FFFFFFFFh 0x00000047 push 00000000h 0x00000049 push ecx 0x0000004a call 00007F9F2573ED18h 0x0000004f pop ecx 0x00000050 mov dword ptr [esp+04h], ecx 0x00000054 add dword ptr [esp+04h], 00000017h 0x0000005c inc ecx 0x0000005d push ecx 0x0000005e ret 0x0000005f pop ecx 0x00000060 ret 0x00000061 sbb di, 4923h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB0153 second address: DB0159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB330D second address: DB3314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB0159 second address: DB015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3314 second address: DB331A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB015D second address: DB0192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F24D1BA85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9F24D1BA85h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB0192 second address: DB0198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB0198 second address: DB019E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB019E second address: DB01A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB53C9 second address: DB53D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9F24D1BA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB53D3 second address: DB53D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB71AA second address: DB720E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F24D1BA7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F9F24D1BA78h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2532h], ecx 0x0000002c push 00000000h 0x0000002e mov edi, 6D93C439h 0x00000033 push 00000000h 0x00000035 je 00007F9F24D1BA86h 0x0000003b jmp 00007F9F24D1BA80h 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 jns 00007F9F24D1BA76h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB720E second address: DB7218 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB7218 second address: DB721C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBEB59 second address: DBEB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D71E second address: D4D728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F9F24D1BA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D728 second address: D4D740 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9F2573ED16h 0x00000008 jmp 00007F9F2573ED1Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D740 second address: D4D754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F24D1BA7Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D754 second address: D4D772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED28h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D772 second address: D4D776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D776 second address: D4D79D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F9F2573ED26h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D79D second address: D4D7C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9F24D1BA76h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007F9F24D1BA76h 0x00000014 jmp 00007F9F24D1BA83h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D7C5 second address: D4D7E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F2573ED29h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE324 second address: DBE328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE4A9 second address: DBE4AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE4AF second address: DBE4B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE4B3 second address: DBE4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE62C second address: DBE643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 jmp 00007F9F24D1BA80h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE643 second address: DBE659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED20h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC37FF second address: DC3805 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8457 second address: DC8460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8460 second address: DC8468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8468 second address: DC846C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC89FE second address: DC8A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8A04 second address: DC8A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pushad 0x00000007 jng 00007F9F2573ED1Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F9F2573ED16h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8A23 second address: DC8A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8A27 second address: DC8A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jg 00007F9F2573ED16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8E3F second address: DC8E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007F9F24D1BA76h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8E4E second address: DC8E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007F9F2573ED1Eh 0x0000000d jmp 00007F9F2573ED28h 0x00000012 pop edi 0x00000013 popad 0x00000014 push edi 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8FF8 second address: DC8FFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8FFE second address: DC901A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9F2573ED21h 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC9154 second address: DC9158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC951D second address: DC9521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC9521 second address: DC9532 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F9F24D1BA76h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCDAD8 second address: DCDADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCE079 second address: DCE096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F24D1BA88h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCE223 second address: DCE227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCE227 second address: DCE23A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9F24D1BA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007F9F24D1BA76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCE23A second address: DCE24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007F9F2573ED18h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCE24D second address: DCE257 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9F24D1BA76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCE907 second address: DCE90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F8D8 second address: D7F8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCEDA0 second address: DCEDAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jo 00007F9F2573ED16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCEDAC second address: DCEDB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCEDB0 second address: DCEDC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9F2573ED16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F9F2573ED16h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCEDC6 second address: DCEDCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD340A second address: DD3423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9F2573ED16h 0x0000000a jmp 00007F9F2573ED1Eh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2BAF second address: DA2BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2C5C second address: DA2C60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2C60 second address: DA2C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2C66 second address: DA2C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2C6C second address: DA2C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2C70 second address: BF38EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+12470F26h], ecx 0x00000011 push eax 0x00000012 xor dword ptr [ebp+122D2067h], ebx 0x00000018 pop edi 0x00000019 push dword ptr [ebp+122D0E51h] 0x0000001f mov dword ptr [ebp+122D1F26h], ebx 0x00000025 call dword ptr [ebp+122D2815h] 0x0000002b pushad 0x0000002c jc 00007F9F2573ED29h 0x00000032 jmp 00007F9F2573ED23h 0x00000037 xor eax, eax 0x00000039 clc 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e jmp 00007F9F2573ED24h 0x00000043 add dword ptr [ebp+122D1943h], ebx 0x00000049 mov dword ptr [ebp+122D34CEh], eax 0x0000004f jmp 00007F9F2573ED20h 0x00000054 mov esi, 0000003Ch 0x00000059 jl 00007F9F2573ED2Fh 0x0000005f pushad 0x00000060 jmp 00007F9F2573ED21h 0x00000065 xor dword ptr [ebp+122D1943h], ecx 0x0000006b popad 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 jmp 00007F9F2573ED28h 0x00000075 lodsw 0x00000077 add dword ptr [ebp+122D1943h], ecx 0x0000007d jng 00007F9F2573ED24h 0x00000083 pushad 0x00000084 mov eax, dword ptr [ebp+122D34FAh] 0x0000008a jng 00007F9F2573ED16h 0x00000090 popad 0x00000091 add eax, dword ptr [esp+24h] 0x00000095 jmp 00007F9F2573ED1Bh 0x0000009a mov ebx, dword ptr [esp+24h] 0x0000009e jno 00007F9F2573ED22h 0x000000a4 push eax 0x000000a5 push edx 0x000000a6 pushad 0x000000a7 push eax 0x000000a8 push edx 0x000000a9 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2CF1 second address: DA2CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2CF6 second address: DA2D23 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9F2573ED2Eh 0x00000008 jmp 00007F9F2573ED28h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jnc 00007F9F2573ED16h 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2D23 second address: DA2D5C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9F24D1BA78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F9F24D1BA84h 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F9F24D1BA7Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d jnp 00007F9F24D1BA76h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2EBA second address: DA2EED instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9F2573ED16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F9F2573ED1Dh 0x00000012 jnc 00007F9F2573ED18h 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a and di, F944h 0x0000001f mov di, C129h 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3235 second address: DA325F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9F24D1BA7Ch 0x00000008 jnc 00007F9F24D1BA76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9F24D1BA87h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA38DD second address: DA38FE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9F2573ED1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F9F2573ED16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA38FE second address: DA391F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F9F24D1BA7Ch 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA391F second address: DA3929 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9F2573ED1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3A12 second address: DA3A47 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9F24D1BA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jg 00007F9F24D1BA76h 0x00000011 pop eax 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 pushad 0x00000017 mov dword ptr [ebp+122D20DDh], edx 0x0000001d popad 0x0000001e lea eax, dword ptr [ebp+124824C8h] 0x00000024 mov ecx, dword ptr [ebp+122D2867h] 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jne 00007F9F24D1BA76h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3A47 second address: DA3A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3A61 second address: D7F8D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F9F24D1BA80h 0x0000000f pushad 0x00000010 jl 00007F9F24D1BA76h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 nop 0x0000001a jmp 00007F9F24D1BA7Ah 0x0000001f call dword ptr [ebp+122D2F92h] 0x00000025 push ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD39C4 second address: DD39E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9F2573ED1Dh 0x0000000a je 00007F9F2573ED18h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD3B9B second address: DD3BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD3BA1 second address: DD3BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F9F2573ED16h 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD3BB1 second address: DD3BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD3BB6 second address: DD3BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD3BBC second address: DD3BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD3D19 second address: DD3D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD3D1D second address: DD3D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD78F5 second address: DD78FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9F2573ED16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB97A second address: DDB97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB97E second address: DDB9A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED23h 0x00000007 jmp 00007F9F2573ED1Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDFDD5 second address: DDFDEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F9F24D1BA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F9F24D1BA76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDFDEA second address: DDFE0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F9F2573ED28h 0x0000000e jmp 00007F9F2573ED22h 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDFE0F second address: DDFE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F24D1BA88h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE03C3 second address: DE03DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9F2573ED16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F9F2573ED1Ch 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE03DB second address: DE040C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F24D1BA81h 0x00000007 push eax 0x00000008 jmp 00007F9F24D1BA86h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE040C second address: DE0412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE0412 second address: DE0420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F9F24D1BA76h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE0420 second address: DE042D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F9F2573ED16h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE042D second address: DE043B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F9F24D1BA7Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE3D7D second address: DE3D87 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9F2573ED16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE3D87 second address: DE3D92 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F9F24D1BA76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6F3F second address: DE6F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9F2573ED16h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6AFE second address: DE6B07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6B07 second address: DE6B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6B0D second address: DE6B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jo 00007F9F24D1BA76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6C9F second address: DE6CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9F2573ED16h 0x0000000a popad 0x0000000b jc 00007F9F2573ED1Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB082 second address: DEB0A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F9F24D1BA84h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB0A3 second address: DEB0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F9F2573ED16h 0x0000000a jmp 00007F9F2573ED1Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB0B9 second address: DEB0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB1F7 second address: DEB20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F9F2573ED22h 0x0000000b jbe 00007F9F2573ED16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB4DC second address: DEB4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE66D second address: DEE6A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F9F2573ED28h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F9F2573ED22h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEDE54 second address: DEDE68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F9F24D1BA7Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF4D11 second address: DF4D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9F2573ED16h 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F9F2573ED25h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF4D38 second address: DF4D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 jmp 00007F9F24D1BA7Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF5131 second address: DF513B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF513B second address: DF5163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F24D1BA81h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9F24D1BA7Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF52E7 second address: DF52ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF5E86 second address: DF5E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFDA19 second address: DFDA36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED29h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFE515 second address: DFE51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFE51B second address: DFE51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFE51F second address: DFE523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFE523 second address: DFE53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F2573ED21h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFE53E second address: DFE544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFE544 second address: DFE55D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F9F2573ED16h 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F9F2573ED16h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFEA78 second address: DFEA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFEA7C second address: DFEA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F9F2573ED1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF03D second address: DFF05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F24D1BA89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF05A second address: DFF06C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9F2573ED1Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF06C second address: DFF072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF072 second address: DFF078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF078 second address: DFF081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF081 second address: DFF085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF085 second address: DFF08B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF08B second address: DFF099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F9F2573ED1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF390 second address: DFF3B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9F24D1BA76h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ebx 0x0000000e jmp 00007F9F24D1BA89h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E025BB second address: E025C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0289A second address: E028AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F24D1BA81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E02A16 second address: E02A1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E02A1A second address: E02A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9F24D1BA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F9F24D1BA7Ah 0x00000012 push eax 0x00000013 pop eax 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jmp 00007F9F24D1BA7Dh 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E02F85 second address: E02FB9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9F2573ED26h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9F2573ED28h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E03114 second address: E0311C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5294A second address: D52950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52950 second address: D5299A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9F24D1BA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F9F24D1BA89h 0x0000000f popad 0x00000010 push edx 0x00000011 push ebx 0x00000012 jmp 00007F9F24D1BA7Fh 0x00000017 jmp 00007F9F24D1BA7Eh 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09309 second address: E09311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09311 second address: E09326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F24D1BA80h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F4D0 second address: E0F4D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F4D4 second address: E0F4D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F93A second address: E0F942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0FD72 second address: E0FD80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F9F24D1BA7Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E10B09 second address: E10B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E10B0F second address: E10B17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0EB5F second address: E0EB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F9F2573ED1Bh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E23497 second address: E2349D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2349D second address: E234AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E234AA second address: E234B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E23019 second address: E2301F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2301F second address: E23067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9F24D1BA85h 0x0000000b jmp 00007F9F24D1BA87h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9F24D1BA83h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E25FEF second address: E25FF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2FB31 second address: E2FB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F24D1BA85h 0x00000009 jng 00007F9F24D1BA76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2FB50 second address: E2FB61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F9F2573ED29h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E37BD9 second address: E37BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3AAEF second address: E3AAF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3AAF5 second address: E3AB0A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F9F24D1BA76h 0x0000000d jne 00007F9F24D1BA76h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3F99F second address: E3F9B9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9F2573ED16h 0x00000008 js 00007F9F2573ED16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jl 00007F9F2573ED16h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3F9B9 second address: E3F9BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3F9BF second address: E3F9C9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9F2573ED1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FC2E second address: E3FC32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FC32 second address: E3FC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9F2573ED22h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FC4C second address: E3FC50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FD91 second address: E3FD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9F2573ED27h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FD9D second address: E3FDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F24D1BA7Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FDB2 second address: E3FDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FF3E second address: E3FF6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F24D1BA7Ah 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007F9F24D1BA76h 0x00000010 jmp 00007F9F24D1BA7Dh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FF6A second address: E3FF70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FF70 second address: E3FF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E40217 second address: E4021D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4021D second address: E40221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E40221 second address: E40231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED1Bh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E43793 second address: E43799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E43799 second address: E4379F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44D26 second address: E44D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44D32 second address: E44D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44D3D second address: E44D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9F24D1BA76h 0x0000000a jns 00007F9F24D1BA76h 0x00000010 jmp 00007F9F24D1BA7Bh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46CC7 second address: E46CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46CCB second address: E46CF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F24D1BA7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007F9F24D1BA81h 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46CF4 second address: E46D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F2573ED1Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46D06 second address: E46D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F9F24D1BA76h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46D12 second address: E46D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46A40 second address: E46A4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F9F24D1BA76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5664D second address: E56655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56655 second address: E56663 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9F24D1BA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56663 second address: E56667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56667 second address: E5666B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5666B second address: E56690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F2573ED29h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56690 second address: E566A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9F24D1BA7Ah 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E544A4 second address: E544AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E655A4 second address: E655AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E653F9 second address: E6540C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F2573ED1Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6540C second address: E65410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E65410 second address: E65416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6997C second address: E69999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F9F24D1BA76h 0x00000009 jno 00007F9F24D1BA76h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F9F24D1BA76h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E69999 second address: E6999D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E694EA second address: E694F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F9F24D1BA76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E69656 second address: E6965C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6965C second address: E69665 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E69665 second address: E69674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007F9F2573ED38h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E69674 second address: E69682 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F9F24D1BA76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E69682 second address: E6968C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9F2573ED16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E815BC second address: E815D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F24D1BA86h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E815D6 second address: E815DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E815DA second address: E815E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E815E0 second address: E815EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F9F2573ED16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E815EE second address: E815F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E815F2 second address: E815F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E816F4 second address: E816FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E816FA second address: E81700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E81700 second address: E8171D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a jo 00007F9F24D1BA88h 0x00000010 push edi 0x00000011 jmp 00007F9F24D1BA7Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E81A19 second address: E81A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E81CD4 second address: E81CDE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9F24D1BA76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E81FA5 second address: E81FD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED26h 0x00000007 jmp 00007F9F2573ED28h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E81FD7 second address: E81FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F24D1BA85h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E81FF0 second address: E81FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E820F9 second address: E820FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E820FD second address: E8210D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F9F2573ED1Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8227F second address: E82283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E82283 second address: E822A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F9F2573ED1Ch 0x0000000c jnc 00007F9F2573ED18h 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E83C71 second address: E83C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F9F24D1BA7Ch 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E83B2A second address: E83B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E83B30 second address: E83B3A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9F24D1BA76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E85374 second address: E85378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E87E0E second address: E87E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E87E12 second address: E87E16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E87EFB second address: E87F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E880D8 second address: E88158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F9F2573ED18h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D28D7h], esi 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F9F2573ED18h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 mov dh, cl 0x00000049 sbb edx, 47B52AE4h 0x0000004f call 00007F9F2573ED19h 0x00000054 jmp 00007F9F2573ED1Ah 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d jo 00007F9F2573ED16h 0x00000063 pushad 0x00000064 popad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88158 second address: E88162 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9F24D1BA7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88162 second address: E8818E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007F9F2573ED28h 0x00000010 pushad 0x00000011 jno 00007F9F2573ED16h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8818E second address: E881B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F9F24D1BA8Dh 0x00000010 jmp 00007F9F24D1BA87h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E881B5 second address: E881BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E881BB second address: E881BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88461 second address: E88467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88467 second address: E88493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov edx, 11EE6E5Eh 0x0000000c push dword ptr [ebp+122D1E16h] 0x00000012 mov dword ptr [ebp+122D257Ch], edx 0x00000018 mov edx, 0B88F5A0h 0x0000001d push C33E3BAFh 0x00000022 ja 00007F9F24D1BA84h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88493 second address: E88497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8AF16 second address: E8AF3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F9F24D1BA85h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8AF3A second address: E8AF3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210DB6 second address: 5210DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9F24D1BA88h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210DDF second address: 5210DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210DE5 second address: 5210DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210DE9 second address: 5210E7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F2573ED1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, ecx 0x0000000d jmp 00007F9F2573ED1Eh 0x00000012 jns 00007F9F2573ED3Dh 0x00000018 jmp 00007F9F2573ED20h 0x0000001d add eax, ecx 0x0000001f pushad 0x00000020 call 00007F9F2573ED1Eh 0x00000025 mov ebx, ecx 0x00000027 pop ecx 0x00000028 mov eax, edi 0x0000002a popad 0x0000002b mov eax, dword ptr [eax+00000860h] 0x00000031 pushad 0x00000032 call 00007F9F2573ED1Fh 0x00000037 mov ecx, 10B3E3AFh 0x0000003c pop ecx 0x0000003d jmp 00007F9F2573ED25h 0x00000042 popad 0x00000043 test eax, eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F9F2573ED1Dh 0x0000004c rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BF3854 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BF3942 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: DA2835 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E19B17 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5552 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2148069464.0000000000D71000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2148574776.00000000015BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW1
Source: file.exe, 00000000.00000003.2147642933.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2148574776.0000000001614000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2148069464.0000000000D71000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD5BB0 LdrInitializeThunk, 0_2_00BD5BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: bathdoomgaz.stor
Source: file.exe String found in binary or memory: spirittunek.stor
Source: file.exe String found in binary or memory: dissapoiznw.stor
Source: file.exe String found in binary or memory: studennotediw.stor
Source: file.exe String found in binary or memory: mobbipenju.stor
Source: file.exe String found in binary or memory: eaglepawnoy.stor
Source: file.exe, file.exe, 00000000.00000002.2148069464.0000000000D71000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531613 Sample: file.exe Startdate: 11/10/2024 Architecture: WINDOWS Score: 100 10 studennotediw.store 2->10 12 steamcommunity.com 2->12 14 8 other IPs or domains 2->14 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 9 other signatures 2->26 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 sergei-esenin.com 172.67.206.204, 443, 49711 CLOUDFLARENETUS United States 6->16 18 steamcommunity.com 23.192.247.89, 443, 49710 AKAMAI-ASUS United States 6->18 28 Detected unpacking (changes PE section rights) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 Tries to evade debugger and weak emulator (self modifying code) 6->32 34 4 other signatures 6->34 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.192.247.89
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
steamcommunity.com 23.192.247.89 true
sergei-esenin.com 172.67.206.204 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
studennotediw.store true
    		unknown
    dissapoiznw.store true
      		unknown
      https://steamcommunity.com/profiles/76561199724331900 true
      • URL Reputation: malware
      		 unknown
      eaglepawnoy.store true
        		unknown
        bathdoomgaz.store true
          		unknown
          clearancek.site true
            		unknown
            spirittunek.store true
              		unknown
              licendfilteo.site true
                		unknown