Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1532904
MD5: e6f6b8cea53e7f4747e424f1617f3393
SHA1: 59c199c720a2e106822defba032c2eb90f9699da
SHA256: 95b1cfb989f22fc872400433acaa047fc01be081433137307523e4d116390598
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com:443/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: file.exe.6988.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.store", "spirittunek.store", "mobbipenju.store", "licendfilteo.site", "eaglepawnoy.store", "bathdoomgaz.store", "clearancek.site", "studennotediw.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for domain / URL
Source: sergei-esenin.com Virustotal: Detection: 17% Perma Link
Source: studennotediw.store Virustotal: Detection: 17% Perma Link
Source: bathdoomgaz.store Virustotal: Detection: 21% Perma Link
Source: spirittunek.store Virustotal: Detection: 21% Perma Link
Source: mobbipenju.store Virustotal: Detection: 21% Perma Link
Source: clearancek.site Virustotal: Detection: 17% Perma Link
Source: licendfilteo.site Virustotal: Detection: 15% Perma Link
Source: dissapoiznw.store Virustotal: Detection: 21% Perma Link
Source: eaglepawnoy.store Virustotal: Detection: 18% Perma Link
Source: https://bathdoomgaz.store:443/api Virustotal: Detection: 21% Perma Link
Source: studennotediw.store Virustotal: Detection: 17% Perma Link
Source: eaglepawnoy.store Virustotal: Detection: 18% Perma Link
Source: https://licendfilteo.site:443/api Virustotal: Detection: 19% Perma Link
Source: https://sergei-esenin.com:443/api Virustotal: Detection: 18% Perma Link
Source: dissapoiznw.store Virustotal: Detection: 21% Perma Link
Source: https://dissapoiznw.store:443/api Virustotal: Detection: 21% Perma Link
Source: https://sergei-esenin.com/0 Virustotal: Detection: 15% Perma Link
Source: bathdoomgaz.store Virustotal: Detection: 21% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.store
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.store
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.store
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.store
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.store
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.store
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1950554236.0000000000531000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49732 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0053D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0053D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_005799D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_0053FCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00540EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00575700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00546F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_0054D961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_00573920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_005349A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00535A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00574A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00541A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00541ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_005442FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00579B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_0053A300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00543BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00541BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0054D457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_0055C470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_0054B410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_0055CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_0055CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_0055CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00579CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_00579CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00559510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_0055FD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00546536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00541E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_0053BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_00546EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_00536EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00546F91

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:53209 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:58628 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:63169 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:53766 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:61554 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:50547 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:58554 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:51153 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: studennotediw.store
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=eY.z8bZweqIPgKfpYDlsN4_L2R0LQF9aLZkPSL_aagI-1728881527-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sru `Qo equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=7f29bf101b41067af1b6c20b; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 14 Oct 2024 04:52:06 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: adcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000002.1951560374.0000000001293000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.1951560374.0000000001293000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.1951560374.0000000001293000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749512570.0000000001298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.1749512570.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.1951560374.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749512570.0000000001298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1749512570.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.1749512570.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1749512570.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1749512570.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749512570.0000000001298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.1951560374.0000000001293000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749512570.0000000001298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749512570.0000000001298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749512570.0000000001298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: file.exe, 00000000.00000003.1749512570.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1749512570.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.1749512570.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store:443/api
Source: file.exe, 00000000.00000003.1749512570.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/apiP
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1749512570.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/0
Source: file.exe, 00000000.00000002.1951560374.00000000012B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/C:
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749512570.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.00000000012B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api0
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiA
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apirt.c
Source: file.exe, 00000000.00000003.1749512570.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.1951560374.0000000001293000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1749512570.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749512570.0000000001298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1749512570.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.1951560374.0000000001293000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1749512570.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.000000000129E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api
Source: file.exe, 00000000.00000003.1749512570.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749627824.0000000001326000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000000.00000003.1749512570.0000000001318000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-manag
Source: file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749627824.0000000001326000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1743087878.000000000130D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749477612.000000000131D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1743123008.00000000012D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00540228 0_2_00540228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00542030 0_2_00542030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0057A0D0 0_2_0057A0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0056E8A0 0_2_0056E8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00535160 0_2_00535160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0053E1A0 0_2_0053E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00574A40 0_2_00574A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0053A300 0_2_0053A300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0055C470 0_2_0055C470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0055CCD0 0_2_0055CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0054049B 0_2_0054049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00544487 0_2_00544487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00537CA4 0_2_00537CA4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0055FD10 0_2_0055FD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0054C5F0 0_2_0054C5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005335B0 0_2_005335B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0053BEB0 0_2_0053BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00546EBF 0_2_00546EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0053AF10 0_2_0053AF10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0054D300 appears 47 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1924
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9995874587458746
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/5@11/2
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6988
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\05bbaa9c-104d-4d88-b3fb-58b18fa506fa Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe String found in binary or memory: xRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1924
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1936
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 2963456 > 1048576
Source: file.exe Static PE information: Raw size of uinrpldy is bigger than: 0x100000 < 0x2aa000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.530000.0.unpack :EW;.rsrc :W;.idata :W;uinrpldy:EW;bdkjvfmn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;uinrpldy:EW;bdkjvfmn:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2e2b59 should be: 0x2d4b8a
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: uinrpldy
Source: file.exe Static PE information: section name: bdkjvfmn
Source: file.exe Static PE information: section name: .taggant
Source: file.exe Static PE information: section name: entropy: 7.9847073555245185

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59484B second address: 594852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 707CAE second address: 707CDA instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFF192480B8h 0x00000008 ja 00007EFF192480C9h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 707CDA second address: 707CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 707CDF second address: 707D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BFh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFF192480C3h 0x0000000e jmp 00007EFF192480BDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 707F9B second address: 707FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jbe 00007EFF192B60FEh 0x0000000d jng 00007EFF192B60EAh 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7082D7 second address: 7082F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFF192480B6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFF192480C3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7082F7 second address: 7082FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7082FB second address: 708301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 708301 second address: 708307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 708307 second address: 70831C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70831C second address: 708320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 708320 second address: 708336 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007EFF192480BCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7084B1 second address: 7084D2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFF192B60F6h 0x00000008 pushad 0x00000009 js 00007EFF192B60E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7084D2 second address: 7084D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A07C second address: 70A0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D2618h], eax 0x0000000c push 00000000h 0x0000000e movzx edi, si 0x00000011 push 277B8F56h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007EFF192B60F5h 0x0000001e push eax 0x0000001f pop eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A0AD second address: 70A137 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 277B8FD6h 0x00000010 movsx esi, di 0x00000013 push 00000003h 0x00000015 mov edi, dword ptr [ebp+122D2B0Dh] 0x0000001b push 00000000h 0x0000001d movsx esi, cx 0x00000020 push 00000003h 0x00000022 or edx, 09456019h 0x00000028 push F4D1B3CCh 0x0000002d pushad 0x0000002e jg 00007EFF192480CCh 0x00000034 jmp 00007EFF192480C6h 0x00000039 jne 00007EFF192480BCh 0x0000003f popad 0x00000040 xor dword ptr [esp], 34D1B3CCh 0x00000047 mov dword ptr [ebp+122D1D61h], edx 0x0000004d add edi, dword ptr [ebp+122D2CE9h] 0x00000053 lea ebx, dword ptr [ebp+12449F4Bh] 0x00000059 and edx, 20CAE82Eh 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 pushad 0x00000064 popad 0x00000065 jng 00007EFF192480B6h 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A19E second address: 70A1A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A1A2 second address: 70A1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007EFF192480C8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A1C7 second address: 70A1CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A1CB second address: 70A1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 and edi, 5A017D71h 0x0000000e push 00000000h 0x00000010 mov edi, edx 0x00000012 call 00007EFF192480B9h 0x00000017 jmp 00007EFF192480BBh 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A1F7 second address: 70A1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A1FC second address: 70A216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A216 second address: 70A230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A230 second address: 70A266 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007EFF192480BCh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jc 00007EFF192480E3h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007EFF192480C4h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A373 second address: 70A405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192B60F3h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dx, 1400h 0x00000011 xor dword ptr [ebp+122D2955h], ebx 0x00000017 push 00000000h 0x00000019 mov dl, C0h 0x0000001b mov edi, dword ptr [ebp+122D2E59h] 0x00000021 push B3533331h 0x00000026 jmp 00007EFF192B60EBh 0x0000002b add dword ptr [esp], 4CACCD4Fh 0x00000032 sub dword ptr [ebp+122D1D6Bh], eax 0x00000038 push 00000003h 0x0000003a sub ecx, 70FDE648h 0x00000040 push 00000000h 0x00000042 push 00000003h 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007EFF192B60E8h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 00000017h 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e call 00007EFF192B60E9h 0x00000063 jmp 00007EFF192B60EBh 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A405 second address: 70A40F instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFF192480B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A40F second address: 70A45F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007EFF192B60F5h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push esi 0x00000015 pushad 0x00000016 jno 00007EFF192B60E6h 0x0000001c jmp 00007EFF192B60EBh 0x00000021 popad 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A45F second address: 70A465 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A465 second address: 70A46A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A46A second address: 70A4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007EFF192480B8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 lea ebx, dword ptr [ebp+12449F5Fh] 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007EFF192480B8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 mov dword ptr [ebp+122D2618h], esi 0x00000048 xchg eax, ebx 0x00000049 jne 00007EFF192480CEh 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A4E7 second address: 70A4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A4EB second address: 70A4EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A4EF second address: 70A4F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A4F5 second address: 70A50D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF192480C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FF332 second address: 6FF338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FF338 second address: 6FF33D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FF33D second address: 6FF367 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60ECh 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFF192B60F1h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FF367 second address: 6FF377 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFF192480B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A36B second address: 72A371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A371 second address: 72A375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A375 second address: 72A391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A391 second address: 72A399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A399 second address: 72A39D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A689 second address: 72A695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007EFF192480B6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A695 second address: 72A6A3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFF192B60E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A7DD second address: 72A810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFF192480B8h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007EFF192480C1h 0x00000013 jmp 00007EFF192480BBh 0x00000018 jmp 00007EFF192480C3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72AACD second address: 72AAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007EFF192B60F6h 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72B054 second address: 72B05B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72249E second address: 7224A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72BB2E second address: 72BB33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72BB33 second address: 72BB4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF192B60F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72BCE4 second address: 72BCEE instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFF192480B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73306F second address: 733073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 733073 second address: 73307C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73212A second address: 73212E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7332A1 second address: 7332A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7374FF second address: 737503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7379AB second address: 7379B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7379B7 second address: 7379BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7379BD second address: 7379C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 739C77 second address: 739C97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFF192B60F8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A0BF second address: 73A0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A1FF second address: 73A215 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFF192B60E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007EFF192B60E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A215 second address: 73A219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A3B4 second address: 73A3BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A899 second address: 73A8B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A8B2 second address: 73A8C4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFF192B60E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A8C4 second address: 73A8F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007EFF192480C3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A8F4 second address: 73A906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 push eax 0x00000008 jng 00007EFF192B60F4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73A906 second address: 73A90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73B3F1 second address: 73B3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73B3F8 second address: 73B3FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73B3FE second address: 73B402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73B402 second address: 73B406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73B406 second address: 73B461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007EFF192B60EEh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007EFF192B60E8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1F10h], edx 0x0000002f push 00000000h 0x00000031 xor esi, dword ptr [ebp+122D5E12h] 0x00000037 push 00000000h 0x00000039 mov edi, dword ptr [ebp+122D2DFDh] 0x0000003f xchg eax, ebx 0x00000040 pushad 0x00000041 js 00007EFF192B60ECh 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73B461 second address: 73B478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFF192480B8h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007EFF192480BCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73BC48 second address: 73BC60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73CE2E second address: 73CE34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73D98B second address: 73D991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73D991 second address: 73D9CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+122D2959h], edi 0x00000011 push 00000000h 0x00000013 mov esi, 28186B0Fh 0x00000018 push 00000000h 0x0000001a add dword ptr [ebp+122D2B2Dh], esi 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 jns 00007EFF192480B8h 0x00000028 push eax 0x00000029 push ebx 0x0000002a pop ebx 0x0000002b pop eax 0x0000002c popad 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jnc 00007EFF192480B6h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73D9CB second address: 73D9D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73E355 second address: 73E359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73E359 second address: 73E3E6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFF192B60E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007EFF192B60E8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D1FFCh], ebx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007EFF192B60E8h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a or esi, dword ptr [ebp+122D2E4Dh] 0x00000050 mov si, di 0x00000053 jc 00007EFF192B60EEh 0x00000059 push edx 0x0000005a ja 00007EFF192B60E6h 0x00000060 pop edi 0x00000061 push 00000000h 0x00000063 mov esi, dword ptr [ebp+122D2B13h] 0x00000069 xchg eax, ebx 0x0000006a jmp 00007EFF192B60EFh 0x0000006f push eax 0x00000070 pushad 0x00000071 jns 00007EFF192B60ECh 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73E3E6 second address: 73E3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73E3EE second address: 73E3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73EE8A second address: 73EEE8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFF192480B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007EFF192480B8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 pushad 0x00000029 je 00007EFF192480B9h 0x0000002f movsx ecx, dx 0x00000032 pushad 0x00000033 mov edi, dword ptr [ebp+122D2650h] 0x00000039 and di, 5F49h 0x0000003e popad 0x0000003f popad 0x00000040 push 00000000h 0x00000042 mov dword ptr [ebp+124711A1h], ebx 0x00000048 push 00000000h 0x0000004a mov esi, 1342C22Ah 0x0000004f xchg eax, ebx 0x00000050 pushad 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73EEE8 second address: 73EEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73EEF0 second address: 73EF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a js 00007EFF192480B6h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7404D1 second address: 7404D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 742E1B second address: 742E38 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFF192480BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jns 00007EFF192480B6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 742E38 second address: 742E42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007EFF192B60E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 742E42 second address: 742E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 743E24 second address: 743E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7420DD second address: 7420F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7420F0 second address: 7420F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 744DEE second address: 744DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7420F6 second address: 74219C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007EFF192B60F5h 0x00000013 cmc 0x00000014 pop ebx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007EFF192B60E8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 movzx edi, cx 0x00000039 mov dword ptr [ebp+1244A564h], ecx 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 movsx edi, cx 0x00000049 mov eax, dword ptr [ebp+122D0B7Dh] 0x0000004f push 00000000h 0x00000051 push eax 0x00000052 call 00007EFF192B60E8h 0x00000057 pop eax 0x00000058 mov dword ptr [esp+04h], eax 0x0000005c add dword ptr [esp+04h], 0000001Ah 0x00000064 inc eax 0x00000065 push eax 0x00000066 ret 0x00000067 pop eax 0x00000068 ret 0x00000069 js 00007EFF192B60ECh 0x0000006f sbb edi, 4AECE245h 0x00000075 push FFFFFFFFh 0x00000077 mov dword ptr [ebp+122D2469h], eax 0x0000007d push eax 0x0000007e push ecx 0x0000007f push eax 0x00000080 push edx 0x00000081 pushad 0x00000082 popad 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 744DF2 second address: 744E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007EFF192480B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 743FB5 second address: 74404E instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFF192B60E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D1CA2h], edx 0x00000015 mov ebx, dword ptr [ebp+122D33AFh] 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov di, cx 0x00000025 mov edi, 18EA05BBh 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007EFF192B60E8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b add dword ptr [ebp+122D266Dh], edi 0x00000051 mov eax, dword ptr [ebp+122D1015h] 0x00000057 push 00000000h 0x00000059 push eax 0x0000005a call 00007EFF192B60E8h 0x0000005f pop eax 0x00000060 mov dword ptr [esp+04h], eax 0x00000064 add dword ptr [esp+04h], 00000018h 0x0000006c inc eax 0x0000006d push eax 0x0000006e ret 0x0000006f pop eax 0x00000070 ret 0x00000071 add dword ptr [ebp+1244BC44h], eax 0x00000077 push FFFFFFFFh 0x00000079 add edi, 1144499Ah 0x0000007f adc ebx, 50CDC53Ah 0x00000085 push eax 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 jne 00007EFF192B60E6h 0x0000008f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74404E second address: 74405B instructions: 0x00000000 rdtsc 0x00000002 je 00007EFF192480B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 744F5F second address: 744F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 746E78 second address: 746E82 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFF192480B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 744F63 second address: 744F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 746FDE second address: 746FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 746FE2 second address: 746FE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749064 second address: 749133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007EFF192480C5h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007EFF192480B8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+122D2DB1h] 0x0000002e jmp 00007EFF192480BEh 0x00000033 push dword ptr fs:[00000000h] 0x0000003a call 00007EFF192480BCh 0x0000003f mov di, D311h 0x00000043 pop ebx 0x00000044 add edi, dword ptr [ebp+122D2E9Dh] 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 push 00000000h 0x00000053 push ebx 0x00000054 call 00007EFF192480B8h 0x00000059 pop ebx 0x0000005a mov dword ptr [esp+04h], ebx 0x0000005e add dword ptr [esp+04h], 00000016h 0x00000066 inc ebx 0x00000067 push ebx 0x00000068 ret 0x00000069 pop ebx 0x0000006a ret 0x0000006b or dword ptr [ebp+122D1CD0h], eax 0x00000071 mov eax, dword ptr [ebp+122D06C9h] 0x00000077 jmp 00007EFF192480BAh 0x0000007c push FFFFFFFFh 0x0000007e jnc 00007EFF192480BCh 0x00000084 push eax 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 jmp 00007EFF192480C2h 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749133 second address: 749145 instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFF192B60E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007EFF192B60ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74D6E7 second address: 74D6F1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFF192480BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74D6F1 second address: 74D748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jp 00007EFF192B60EEh 0x0000000d push ebx 0x0000000e jbe 00007EFF192B60E6h 0x00000014 pop ebx 0x00000015 nop 0x00000016 add bl, FFFFFFDFh 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007EFF192B60E8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov di, F726h 0x00000039 jbe 00007EFF192B60ECh 0x0000003f mov edi, dword ptr [ebp+1244A580h] 0x00000045 push 00000000h 0x00000047 xor dword ptr [ebp+122D26F7h], eax 0x0000004d xchg eax, esi 0x0000004e push edx 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74D748 second address: 74D74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74E7CD second address: 74E7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74E7D1 second address: 74E7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007EFF192480B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74E7E2 second address: 74E7E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74F759 second address: 74F7EE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFF192480B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007EFF192480C9h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007EFF192480B8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c xor bx, BCE8h 0x00000031 jns 00007EFF192480C9h 0x00000037 push edx 0x00000038 jmp 00007EFF192480C1h 0x0000003d pop ebx 0x0000003e push 00000000h 0x00000040 mov bx, cx 0x00000043 push 00000000h 0x00000045 jne 00007EFF192480BCh 0x0000004b or dword ptr [ebp+122D3A3Ch], edi 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007EFF192480C9h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74D883 second address: 74D926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 mov ebx, dword ptr [ebp+122D2680h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007EFF192B60E8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 sbb bx, 39AFh 0x0000003c movzx ebx, cx 0x0000003f mov eax, dword ptr [ebp+122D09FDh] 0x00000045 mov bl, 5Ah 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push edx 0x0000004c call 00007EFF192B60E8h 0x00000051 pop edx 0x00000052 mov dword ptr [esp+04h], edx 0x00000056 add dword ptr [esp+04h], 00000014h 0x0000005e inc edx 0x0000005f push edx 0x00000060 ret 0x00000061 pop edx 0x00000062 ret 0x00000063 pushad 0x00000064 mov esi, dword ptr [ebp+1245C7BDh] 0x0000006a mov ecx, dword ptr [ebp+122D2BF1h] 0x00000070 popad 0x00000071 nop 0x00000072 jmp 00007EFF192B60F9h 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007EFF192B60EDh 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 750859 second address: 75085E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7508F8 second address: 750902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007EFF192B60E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74F985 second address: 74FA0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007EFF192480C3h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jg 00007EFF192480B8h 0x00000018 jmp 00007EFF192480BEh 0x0000001d popad 0x0000001e nop 0x0000001f push ecx 0x00000020 cmc 0x00000021 pop edi 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 call 00007EFF192480C7h 0x00000035 mov edi, dword ptr [ebp+122D2D05h] 0x0000003b pop edi 0x0000003c mov eax, dword ptr [ebp+122D1311h] 0x00000042 clc 0x00000043 mov dword ptr [ebp+1244A571h], ecx 0x00000049 push FFFFFFFFh 0x0000004b mov ebx, dword ptr [ebp+122D3D48h] 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push ecx 0x00000056 pop ecx 0x00000057 pop eax 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 750902 second address: 750913 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFF192B60E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74FA0D second address: 74FA12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 751925 second address: 75192F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007EFF192B60E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 750B17 second address: 750B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 750B1B second address: 750B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 752BFC second address: 752C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007EFF192480B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 752C06 second address: 752C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 757C33 second address: 757C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75AAD7 second address: 75AADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75AADB second address: 75AADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 761763 second address: 761769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 761769 second address: 76176D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 761885 second address: 76188B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 766755 second address: 76676A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76676A second address: 766770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FBD13 second address: 6FBD1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007EFF192480B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765435 second address: 76543B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76543B second address: 765441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765441 second address: 765447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765447 second address: 765478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 pushad 0x0000000a jmp 00007EFF192480BFh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007EFF192480BEh 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765478 second address: 765494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60ECh 0x00000007 jl 00007EFF192B60E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765494 second address: 76549E instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFF192480B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76549E second address: 7654B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F0h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765C19 second address: 765C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765C1F second address: 765C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765C23 second address: 765C44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 765EB7 second address: 765EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7662E1 second address: 766302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007EFF192480C5h 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D882 second address: 76D88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFF192B60E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D88E second address: 76D893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 773345 second address: 773349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 773349 second address: 77334D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77334D second address: 773353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 773353 second address: 773394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jbe 00007EFF192480B8h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007EFF192480BFh 0x00000016 jl 00007EFF192480B6h 0x0000001c jmp 00007EFF192480C9h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772039 second address: 77203F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77203F second address: 772044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772044 second address: 772049 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772194 second address: 772198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772B4F second address: 772B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772CB5 second address: 772CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772FD8 second address: 772FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFF192B60F7h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772FF8 second address: 773014 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007EFF192480C0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 773014 second address: 77303C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007EFF192B60ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77303C second address: 773040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 777CEF second address: 777D0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007EFF192B60EAh 0x0000000e jl 00007EFF192B60E6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 777D0B second address: 777D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF192480C6h 0x00000009 jne 00007EFF192480B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 776A41 second address: 776A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192B60F8h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 776A5E second address: 776A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480C5h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 738AAC second address: 59402A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 nop 0x00000009 mov cx, A3E6h 0x0000000d push dword ptr [ebp+122D1089h] 0x00000013 xor dword ptr [ebp+122D28F6h], edx 0x00000019 call dword ptr [ebp+122D1D19h] 0x0000001f pushad 0x00000020 jmp 00007EFF192B60F2h 0x00000025 or dword ptr [ebp+122D250Bh], ecx 0x0000002b xor eax, eax 0x0000002d mov dword ptr [ebp+122D250Bh], ebx 0x00000033 jmp 00007EFF192B60F0h 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c pushad 0x0000003d mov di, ax 0x00000040 xor dword ptr [ebp+122D250Bh], edi 0x00000046 popad 0x00000047 mov dword ptr [ebp+122D2CC5h], eax 0x0000004d jmp 00007EFF192B60EAh 0x00000052 or dword ptr [ebp+122D296Dh], ebx 0x00000058 mov esi, 0000003Ch 0x0000005d mov dword ptr [ebp+122D1D6Bh], edi 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 jno 00007EFF192B60F4h 0x0000006d lodsw 0x0000006f pushad 0x00000070 mov bl, ch 0x00000072 jmp 00007EFF192B60EDh 0x00000077 popad 0x00000078 add eax, dword ptr [esp+24h] 0x0000007c cld 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 or dword ptr [ebp+122D250Bh], ecx 0x00000087 pushad 0x00000088 mov ebx, dword ptr [ebp+122D2F01h] 0x0000008e mov ecx, eax 0x00000090 popad 0x00000091 nop 0x00000092 jmp 00007EFF192B60F6h 0x00000097 push eax 0x00000098 push eax 0x00000099 push edx 0x0000009a jmp 00007EFF192B60EFh 0x0000009f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 738BBF second address: 738BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 738C6C second address: 738CC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007EFF192B60E6h 0x00000009 jl 00007EFF192B60E6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xor dword ptr [esp], 756102ADh 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007EFF192B60E8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 push 5833BB48h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007EFF192B60F9h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 738FC8 second address: 738FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7390E9 second address: 73912F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edx, edi 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007EFF192B60E8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D1D54h], edi 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 739485 second address: 7394AE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFF192480B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFF192480C8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7394AE second address: 7394B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FA267 second address: 6FA26D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FA26D second address: 6FA271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FA271 second address: 6FA29F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007EFF192480C1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 776D2E second address: 776D44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFF192B60F1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 776D44 second address: 776D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007EFF192480BDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 776F0F second address: 776F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 776F13 second address: 776F1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 776F1B second address: 776F25 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFF192B60EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 776F25 second address: 776F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007EFF192480BAh 0x0000000c ja 00007EFF192480B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7770B1 second address: 7770C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192B60F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7770C9 second address: 7770CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 777200 second address: 777208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 777208 second address: 77720E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77720E second address: 777217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7773AD second address: 7773B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7773B1 second address: 7773B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7773B7 second address: 7773C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7773C2 second address: 7773C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77768D second address: 7776A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480C3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7776A4 second address: 7776D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007EFF192B60F3h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFF192B60F7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 777821 second address: 777825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 777825 second address: 77783B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D58E second address: 77D5A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push edi 0x0000000a jnp 00007EFF192480C2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DE15 second address: 77DE1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DE1B second address: 77DE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DE1F second address: 77DE23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7811D9 second address: 7811DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7811DD second address: 781206 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007EFF192B60ECh 0x00000010 jmp 00007EFF192B60F1h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7830DE second address: 7830E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 785067 second address: 78506C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78506C second address: 785088 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFF192480CEh 0x00000008 jmp 00007EFF192480C2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78521F second address: 785252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jmp 00007EFF192B60ECh 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007EFF192B60E6h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007EFF192B60F0h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 785252 second address: 785263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480BCh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788E86 second address: 788EA6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007EFF192B60F7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788EA6 second address: 788EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788EAC second address: 788EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788EB1 second address: 788EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788EB7 second address: 788ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192B60EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788ECA second address: 788EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007EFF192480D2h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78919A second address: 78919E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78919E second address: 7891D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFF192480C9h 0x0000000b jmp 00007EFF192480C0h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7891D3 second address: 7891E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007EFF192B60ECh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7891E6 second address: 7891FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF192480BFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7891FB second address: 7891FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7891FF second address: 789203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789203 second address: 789209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78AA95 second address: 78AAB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007EFF192480C3h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 700ECD second address: 700EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jno 00007EFF192B60E6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 700EDA second address: 700F05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007EFF192480BFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 700F05 second address: 700F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C043 second address: 78C047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791D18 second address: 791D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791D1D second address: 791D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480BCh 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFF192480C4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7909CD second address: 7909D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7909D1 second address: 7909DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7909DB second address: 7909FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007EFF192B60E6h 0x0000000a jmp 00007EFF192B60F5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7909FA second address: 790A17 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFF192480B6h 0x00000008 jc 00007EFF192480B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFF192480BBh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 790B68 second address: 790B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79698E second address: 7969C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007EFF192480B6h 0x0000000a jp 00007EFF192480B6h 0x00000010 popad 0x00000011 pushad 0x00000012 jno 00007EFF192480B6h 0x00000018 je 00007EFF192480B6h 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 pushad 0x00000024 jc 00007EFF192480B6h 0x0000002a jne 00007EFF192480B6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 795F0A second address: 795F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007EFF192B60E6h 0x0000000a pop ebx 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007EFF192B60E6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 795F25 second address: 795F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 796090 second address: 796096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79F077 second address: 79F07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79CEE3 second address: 79CF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192B60EDh 0x00000009 jmp 00007EFF192B60F4h 0x0000000e popad 0x0000000f push ecx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D1C2 second address: 79D201 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFF192480B6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007EFF192480C5h 0x00000018 jmp 00007EFF192480C5h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D201 second address: 79D21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jc 00007EFF192B60FFh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007EFF192B60EDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D81B second address: 79D82B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D82B second address: 79D830 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D830 second address: 79D84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480C7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D84D second address: 79D864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007EFF192B60E8h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DB67 second address: 79DB70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DB70 second address: 79DB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DB79 second address: 79DB99 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 jnc 00007EFF192480C5h 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DEA7 second address: 79DEAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79E15E second address: 79E162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79E6CF second address: 79E72A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFF192B60EDh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007EFF192B60EAh 0x0000000f jmp 00007EFF192B60ECh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007EFF192B60F9h 0x0000001f jmp 00007EFF192B60F3h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79EA37 second address: 79EA3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A060F second address: 7A0616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A39E8 second address: 7A39EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A39EE second address: 7A39F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A39F2 second address: 7A39F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A39F6 second address: 7A3A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007EFF192B60E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A3B5B second address: 7A3B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A3B5F second address: 7A3B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192B60F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A3E4F second address: 7A3E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A3E5D second address: 7A3E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007EFF192B60E6h 0x0000000e jmp 00007EFF192B60F5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A3FFB second address: 7A4007 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4007 second address: 7A400D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A400D second address: 7A4013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4013 second address: 7A401C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4183 second address: 7A4187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4187 second address: 7A419D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFF192B60F0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A419D second address: 7A41AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007EFF192480B6h 0x00000009 jnp 00007EFF192480B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4476 second address: 7A447C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A447C second address: 7A4496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007EFF192480BFh 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4496 second address: 7A449A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF95D second address: 7AF9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jc 00007EFF192480B6h 0x00000014 jl 00007EFF192480B6h 0x0000001a jmp 00007EFF192480C1h 0x0000001f popad 0x00000020 pushad 0x00000021 jmp 00007EFF192480C0h 0x00000026 jmp 00007EFF192480C9h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF9B5 second address: 7AF9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007EFF192B60F2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF9C2 second address: 7AF9C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFAF5 second address: 7AFB0A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007EFF192B60E6h 0x0000000d jbe 00007EFF192B60E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFC89 second address: 7AFC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFDD5 second address: 7AFDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFF63 second address: 7AFF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFF192480B6h 0x0000000a pop ebx 0x0000000b jo 00007EFF192480CBh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFF76 second address: 7AFF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192B60EFh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007EFF192B60E8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFF94 second address: 7AFFAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF192480C0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFFAA second address: 7AFFAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B011C second address: 7B0126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B0902 second address: 7B0906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B1001 second address: 7B1005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B1005 second address: 7B100A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AEE50 second address: 7AEE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B8279 second address: 7B8297 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFF192B60E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007EFF192B60F1h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B856B second address: 7B856F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B856F second address: 7B8573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BBFEF second address: 7BC002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BC002 second address: 7BC092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60EBh 0x00000007 jmp 00007EFF192B60F3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007EFF192B60F7h 0x00000014 pop eax 0x00000015 pushad 0x00000016 jng 00007EFF192B60E6h 0x0000001c jmp 00007EFF192B60F1h 0x00000021 popad 0x00000022 jmp 00007EFF192B60F6h 0x00000027 popad 0x00000028 pushad 0x00000029 push eax 0x0000002a push esi 0x0000002b pop esi 0x0000002c jg 00007EFF192B60E6h 0x00000032 pop eax 0x00000033 jmp 00007EFF192B60EAh 0x00000038 jmp 00007EFF192B60EDh 0x0000003d push edi 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C6885 second address: 7C689E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007EFF192480C1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C6431 second address: 7C6464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007EFF192B60F3h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C6464 second address: 7C6468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C6468 second address: 7C646C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CD3F3 second address: 7CD3F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CD3F8 second address: 7CD3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CD3FE second address: 7CD404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D1EA6 second address: 7D1EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007EFF192B60E6h 0x0000000a push edi 0x0000000b jmp 00007EFF192B60F6h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D9150 second address: 7D917E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFF192480C0h 0x0000000a pop edx 0x0000000b jnp 00007EFF192480E2h 0x00000011 pushad 0x00000012 jmp 00007EFF192480BFh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBD03 second address: 7DBD11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jng 00007EFF192B60E8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB4D second address: 7DBB55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB55 second address: 7DBB59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB59 second address: 7DBB5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB5D second address: 7DBB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB6B second address: 7DBB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB6F second address: 7DBB73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB73 second address: 7DBB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB80 second address: 7DBB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jmp 00007EFF192B60F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBB9F second address: 7DBBA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBBA7 second address: 7DBBAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DBBAB second address: 7DBBBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DFA2F second address: 7DFA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 je 00007EFF192B60F4h 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DFA3E second address: 7DFA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E4E46 second address: 7E4E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E4E51 second address: 7E4E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E4E59 second address: 7E4E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E4FDA second address: 7E4FE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E52A6 second address: 7E52AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E52AA second address: 7E52BA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFF192480B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E52BA second address: 7E52BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E58BE second address: 7E58DC instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFF192480BEh 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007EFF192480B6h 0x00000010 jno 00007EFF192480C2h 0x00000016 je 00007EFF192480B6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E62DF second address: 7E631C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jo 00007EFF192B611Ch 0x00000010 pushad 0x00000011 jmp 00007EFF192B60F1h 0x00000016 jmp 00007EFF192B60EEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EB011 second address: 7EB015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EACC0 second address: 7EACCA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFF192B60E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F8759 second address: 7F875F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FAB0A second address: 7FAB15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007EFF192B60E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FEB17 second address: 7FEB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480BAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FEB26 second address: 7FEB7C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007EFF192B60F5h 0x00000012 jmp 00007EFF192B60EFh 0x00000017 jmp 00007EFF192B60EFh 0x0000001c popad 0x0000001d pushad 0x0000001e jns 00007EFF192B60E6h 0x00000024 jc 00007EFF192B60E6h 0x0000002a jno 00007EFF192B60E6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FEB7C second address: 7FEB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 821BC0 second address: 821BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 829408 second address: 82940D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8282B0 second address: 8282CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8282CF second address: 8282E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8282E4 second address: 8282FA instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFF192B60E6h 0x00000008 js 00007EFF192B60E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8282FA second address: 8282FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8282FE second address: 828325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60EBh 0x00000007 jmp 00007EFF192B60F3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 828325 second address: 82832B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82848A second address: 828496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFF192B60E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 828496 second address: 8284A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8284A1 second address: 8284D0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFF192B60E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d jbe 00007EFF192B611Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007EFF192B60F8h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 828636 second address: 828647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 828790 second address: 828799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 828CDE second address: 828D04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007EFF192480CCh 0x0000000f jmp 00007EFF192480C0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 828D04 second address: 828D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 828FC1 second address: 82900A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF192480C7h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop eax 0x00000016 jmp 00007EFF192480C2h 0x0000001b pushad 0x0000001c push edi 0x0000001d pop edi 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 jc 00007EFF192480B6h 0x00000026 popad 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82BCE8 second address: 82BCEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82EEB2 second address: 82EECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007EFF192480B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82EECB second address: 82EEE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60ECh 0x00000007 jl 00007EFF192B60E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82EEE4 second address: 82EEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82EEEE second address: 82EF09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007EFF192B60EDh 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 830DDD second address: 830DE6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020BE3 second address: 5020C57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f jmp 00007EFF192B60EEh 0x00000014 test ecx, ecx 0x00000016 jmp 00007EFF192B60F0h 0x0000001b jns 00007EFF192B6135h 0x00000021 jmp 00007EFF192B60F0h 0x00000026 add eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007EFF192B60F7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020C57 second address: 5020C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF192480C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020C6F second address: 5020C73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020C73 second address: 5020CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax+00000860h] 0x0000000e pushad 0x0000000f mov edi, 198B95A0h 0x00000014 pushfd 0x00000015 jmp 00007EFF192480C9h 0x0000001a and cx, 1CA6h 0x0000001f jmp 00007EFF192480C1h 0x00000024 popfd 0x00000025 popad 0x00000026 test eax, eax 0x00000028 pushad 0x00000029 mov edi, ecx 0x0000002b call 00007EFF192480C8h 0x00000030 mov ch, CCh 0x00000032 pop edx 0x00000033 popad 0x00000034 je 00007EFF89E1E13Bh 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007EFF192480C9h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73CAD2 second address: 73CAD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040049 second address: 50400AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFF192480C7h 0x00000009 or ax, 26CEh 0x0000000e jmp 00007EFF192480C9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007EFF192480C0h 0x0000001a sub ch, 00000048h 0x0000001d jmp 00007EFF192480BBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50400AD second address: 50400C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192B60F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50400C8 second address: 5040118 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF192480C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007EFF192480BEh 0x00000010 mov edx, dword ptr [ebp+0Ch] 0x00000013 pushad 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007EFF192480BCh 0x0000001b sbb ah, 00000068h 0x0000001e jmp 00007EFF192480BBh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040118 second address: 5040121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040121 second address: 5040125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7330F4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 757CA9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7386A5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7BC9FD instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 4444 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: file.exe, file.exe, 00000000.00000002.1950788588.000000000070F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.00000000012C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, 00000000.00000002.1951560374.000000000125E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: file.exe, 00000000.00000003.1749512570.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1951560374.00000000012C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000002.1950788588.000000000070F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005700D0 LdrInitializeThunk, 0_2_005700D0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: spirittunek.stor
Source: file.exe String found in binary or memory: bathdoomgaz.stor
Source: file.exe String found in binary or memory: studennotediw.stor
Source: file.exe String found in binary or memory: dissapoiznw.stor
Source: file.exe String found in binary or memory: eaglepawnoy.stor
Source: file.exe String found in binary or memory: mobbipenju.stor
Source: file.exe, file.exe, 00000000.00000002.1950916876.0000000000754000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532904 Sample: file.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 18 studennotediw.store 2->18 20 steamcommunity.com 2->20 22 9 other IPs or domains 2->22 28 Multi AV Scanner detection for domain / URL 2->28 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 9 other signatures 2->34 7 file.exe 2->7         started        signatures3 process4 dnsIp5 24 sergei-esenin.com 104.21.53.8, 443, 49731, 49732 CLOUDFLARENETUS United States 7->24 26 steamcommunity.com 104.102.49.254, 443, 49730 AKAMAI-ASUS United States 7->26 36 Detected unpacking (changes PE section rights) 7->36 38 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->38 40 Tries to evade debugger and weak emulator (self modifying code) 7->40 42 4 other signatures 7->42 11 WerFault.exe 21 16 7->11         started        14 WerFault.exe 2 7->14         started        signatures6 process7 file8 16 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->16 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
sergei-esenin.com 104.21.53.8 true
241.42.69.40.in-addr.arpa unknown unknown
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
studennotediw.store true unknown
dissapoiznw.store true unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
eaglepawnoy.store true unknown
bathdoomgaz.store true unknown
clearancek.site true
    		unknown
    spirittunek.store true
      		unknown
      licendfilteo.site true
        		unknown