Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1538062
MD5: 3880432b7647c48cddbfb9664d00bbe5
SHA1: c6ed8d832745b917a77dd0806d706b2ef73ea2cf
SHA256: 3dcabb1cd2b557aa8cc450a5f8872adb41e1a290503b2ace66b1004f12c849c3
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com:443/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges URL Reputation: Label: malware
Found malware configuration
Source: file.exe.3392.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["bathdoomgaz.store", "eaglepawnoy.store", "licendfilteo.site", "dissapoiznw.store", "spirittunek.store", "clearancek.site", "studennotediw.store", "mobbipenju.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for domain / URL
Source: sergei-esenin.com Virustotal: Detection: 19% Perma Link
Source: eaglepawnoy.store Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 45% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.store
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.store
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.store
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.store
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.store
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.store
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2165592007.0000000000E71000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49699 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00E7D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00E7D110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_00EB63B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00EB99D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_00EB695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00E7FCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00E80EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00EB6094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00EB4040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00E86F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_00EAF030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_00E71000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_00E9D1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00E842FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00E92260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_00E92260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00EA23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00EA23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00EA23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00EA23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_00EA23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_00EA23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_00E7A300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_00EB64B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_00E9C470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_00EB1440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00E8D457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00E9E40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_00E8B410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 0_2_00E78590
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_00EB7520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00E86536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00E99510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00E9E66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00EAB650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_00EB67EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00E9D7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00EB5700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_00EB7710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00E928E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_00E749A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_00E8D961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_00EB3920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00E81ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00EB4A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00E75A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00E81A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00E81BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00E83BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00EA0B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_00E8DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_00E8DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00EB9B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00EB9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_00EB9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_00E9CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00E9CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_00E9CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00E9AC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_00E9AC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_00E9EC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_00EAFC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00E97C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00EB8D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00E9DD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_00E9FD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_00E76EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_00E7BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_00E86EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_00E81E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00E97E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00E95E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_00E9AE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_00E84E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_00EB7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00EB7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00E78FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_00E8FFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00EB5FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00E86F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00E99F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00EAFF70

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:59832 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:56977 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:54180 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:51796 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:56296 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:61950 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:65277 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:59379 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49699 -> 104.102.49.254:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: mobbipenju.store
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 172.67.206.204 172.67.206.204
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000002.2166326891.0000000001812000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0e3d185a3e106e73b244decdec33a0ea; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=29474a3c650c1d4a53e2b456; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 20 Oct 2024 05:40:07 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a61
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2166326891.00000000017BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/
Source: file.exe, 00000000.00000002.2166326891.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/applications/community/main.css?v=DVae4t4RZiHA&l=en
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/globalv2.css?v=dQy8Omh4p9PH&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/promo/summer2017/stickers.css?v=P8gOPraCSjV6&l=engl
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/header.css?v=pTvrRy1pm52p&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/profilev2.css?v=t9xiI4DlPpEB&l=english
Source: file.exe, 00000000.00000002.2166326891.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2166528967.0000000001858000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.2166326891.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=
Source: file.exe, 00000000.00000002.2166326891.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/main.js?v=4XouecKy8sZy&am
Source: file.exe, 00000000.00000002.2166326891.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/manifest.js?v=r7a4-LYcQOj
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/global.js?v=7qlUmHSJhPRN&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/modalContent.js?v=XpCpvP7feUoO&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/profile.js?v=bbs9uq0gqJ-H&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/promo/stickers.js?v=W8NP8aTVqtms&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/webui/clientcom.js?v=jq1jQyX1843y&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/buttons.css?v=-WV9f1LdxEjq&l=english
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_sans.css?v=v7XTmVzbLV33&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_global.css?v=uF6G1wyNU-4c&l=english
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR9MtmbWSZEp&l=engli
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&l=engl
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_global.js?v=7glT1n_nkVCs&l=eng
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunf
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.2166326891.00000000017BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/api
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.2166326891.00000000017BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/apii
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000002.2166326891.00000000017D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store/api
Source: file.exe, 00000000.00000002.2166326891.00000000017BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store:443/api
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000002.2166326891.0000000001812000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000002.2166326891.0000000001812000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/(
Source: file.exe, 00000000.00000002.2166326891.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2166326891.0000000001812000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.2166326891.00000000017BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apin
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.2166326891.00000000017BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2166326891.00000000017D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000002.2166326891.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2166528967.0000000001858000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2166326891.00000000017BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000002.2166326891.0000000001812000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0e3d185a3e106e7
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2163932444.000000000184B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2163932444.0000000001843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49699 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E80228 0_2_00E80228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EBA0D0 0_2_00EBA0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB4040 0_2_00EB4040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E82030 0_2_00E82030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E71000 0_2_00E71000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E771F0 0_2_00E771F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E7E1A0 0_2_00E7E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2189 0_2_00FA2189
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E75160 0_2_00E75160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 0_2_010510A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E712F7 0_2_00E712F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA82D0 0_2_00EA82D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA12D0 0_2_00EA12D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104F3D8 0_2_0104F3D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA23E0 0_2_00EA23E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E713A3 0_2_00E713A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E7B3A0 0_2_00E7B3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104A2E6 0_2_0104A2E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E7A300 0_2_00E7A300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA64F0 0_2_00EA64F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E84487 0_2_00E84487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E8049B 0_2_00E8049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9C470 0_2_00E9C470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E8C5F0 0_2_00E8C5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E735B0 0_2_00E735B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E78590 0_2_00E78590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB86F0 0_2_00EB86F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01048751 0_2_01048751
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E7164F 0_2_00E7164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB8652 0_2_00EB8652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EAF620 0_2_00EAF620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EF37FA 0_2_00EF37FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FB67AB 0_2_00FB67AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F977A6 0_2_00F977A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EAB8C0 0_2_00EAB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FFC8CE 0_2_00FFC8CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104D930 0_2_0104D930
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EAE8A0 0_2_00EAE8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA1860 0_2_00EA1860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E7A850 0_2_00E7A850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0102F9CC 0_2_0102F9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB89A0 0_2_00EB89A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9098B 0_2_00E9098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB7AB0 0_2_00EB7AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB8A80 0_2_00EB8A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB4A40 0_2_00EB4A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01041BEE 0_2_01041BEE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E77BF0 0_2_00E77BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E8DB6F 0_2_00E8DB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9CCD0 0_2_00E9CCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB6CBF 0_2_00EB6CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB8C02 0_2_00EB8C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E98D62 0_2_00E98D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9DD29 0_2_00E9DD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9FD10 0_2_00E9FD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E7BEB0 0_2_00E7BEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E86EBF 0_2_00E86EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB8E70 0_2_00EB8E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9AE57 0_2_00E9AE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E84E2A 0_2_00E84E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB7FC0 0_2_00EB7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E78FD0 0_2_00E78FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FEDFAA 0_2_00FEDFAA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E7AF10 0_2_00E7AF10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00E8D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00E7CAA0 appears 48 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994972153465347
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@10/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA8220 CoCreateInstance, 0_2_00EA8220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe Virustotal: Detection: 45%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 2997760 > 1048576
Source: file.exe Static PE information: Raw size of yuxxtezp is bigger than: 0x100000 < 0x2b2600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.e70000.0.unpack :EW;.rsrc :W;.idata :W;yuxxtezp:EW;itmjzrcs:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;yuxxtezp:EW;itmjzrcs:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2de81f should be: 0x2dff8b
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: yuxxtezp
Source: file.exe Static PE information: section name: itmjzrcs
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0106A138 push edx; mov dword ptr [esp], esi 0_2_0106A13C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0106A138 push ebp; mov dword ptr [esp], 4BB33AC4h 0_2_0106A140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0106A138 push 10A44E66h; mov dword ptr [esp], ecx 0_2_0106A14D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01117144 push esi; mov dword ptr [esp], 3BFFD10Eh 0_2_011171B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0106F169 push 0ECF2D3Dh; mov dword ptr [esp], ecx 0_2_0106F192
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_011311BF push 57961BBAh; mov dword ptr [esp], edx 0_2_01131208
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_011311BF push 1A5D9AB6h; mov dword ptr [esp], edi 0_2_01131224
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2189 push 5C9C18FFh; mov dword ptr [esp], esi 0_2_00FA21C2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2189 push 3D3724A7h; mov dword ptr [esp], eax 0_2_00FA21CD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2189 push edx; mov dword ptr [esp], 339A9DF1h 0_2_00FA21EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2189 push ecx; mov dword ptr [esp], eax 0_2_00FA21FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2189 push 487A5637h; mov dword ptr [esp], edi 0_2_00FA22BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2189 push eax; mov dword ptr [esp], esi 0_2_00FA2315
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push edx; mov dword ptr [esp], ecx 0_2_010510BD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push 19E42995h; mov dword ptr [esp], eax 0_2_01051120
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push 1242707Eh; mov dword ptr [esp], esi 0_2_0105113F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push 4FA82A13h; mov dword ptr [esp], eax 0_2_010511B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push esi; mov dword ptr [esp], ecx 0_2_010511CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push ebp; mov dword ptr [esp], ecx 0_2_01051205
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push esi; mov dword ptr [esp], edx 0_2_0105124C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push ebp; mov dword ptr [esp], edx 0_2_0105125E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push edi; mov dword ptr [esp], 630E1AC8h 0_2_0105129E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push esi; mov dword ptr [esp], 2BFD811Eh 0_2_010512CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push 02F15F2Bh; mov dword ptr [esp], esi 0_2_01051321
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push edx; mov dword ptr [esp], eax 0_2_01051363
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push 23EB2DBFh; mov dword ptr [esp], esi 0_2_0105136B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push 17DE70A4h; mov dword ptr [esp], eax 0_2_01051412
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push 4335C84Dh; mov dword ptr [esp], edx 0_2_0105148A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push eax; mov dword ptr [esp], edi 0_2_010514B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push esi; mov dword ptr [esp], edx 0_2_01051503
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010510A5 push ebp; mov dword ptr [esp], 05FF6787h 0_2_01051507
Source: file.exe Static PE information: section name: entropy: 7.976730207409505

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10585D7 second address: 10585E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F71A8DB7116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1057BF3 second address: 1057BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1057BF9 second address: 1057BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1057BFD second address: 1057C37 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F71A8C84D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F71A8C84D66h 0x00000010 jmp 00007F71A8C84D4Ch 0x00000015 jmp 00007F71A8C84D54h 0x0000001a jnp 00007F71A8C84D4Eh 0x00000020 push edx 0x00000021 pop edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1057EB7 second address: 1057EFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7125h 0x00000007 jmp 00007F71A8DB7129h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007F71A8DB711Fh 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105A5EF second address: 105A5F9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F71A8C84D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105A5F9 second address: 105A67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push esi 0x0000000b jo 00007F71A8DB7118h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 pop eax 0x00000015 ja 00007F71A8DB7116h 0x0000001b push 00000003h 0x0000001d mov dword ptr [ebp+122D1E47h], edx 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007F71A8DB7118h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 0000001Dh 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f mov ecx, dword ptr [ebp+122D2E99h] 0x00000045 mov edx, dword ptr [ebp+122D2FADh] 0x0000004b push 00000003h 0x0000004d mov edi, dword ptr [ebp+122D1E47h] 0x00000053 call 00007F71A8DB7119h 0x00000058 jo 00007F71A8DB7120h 0x0000005e pushad 0x0000005f push esi 0x00000060 pop esi 0x00000061 jo 00007F71A8DB7116h 0x00000067 popad 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jg 00007F71A8DB711Ch 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105A76B second address: 105A78B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105A78B second address: 105A82A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F71A8DB7118h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1E85h], edi 0x00000028 movzx edi, ax 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F71A8DB7118h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov si, 4AF1h 0x0000004b mov edx, dword ptr [ebp+122D2E7Dh] 0x00000051 call 00007F71A8DB7119h 0x00000056 jmp 00007F71A8DB711Bh 0x0000005b push eax 0x0000005c pushad 0x0000005d push ebx 0x0000005e pushad 0x0000005f popad 0x00000060 pop ebx 0x00000061 jmp 00007F71A8DB7128h 0x00000066 popad 0x00000067 mov eax, dword ptr [esp+04h] 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F71A8DB711Ah 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105AA14 second address: 105AA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F71A8C84D46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105AA21 second address: 105AACA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7126h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jmp 00007F71A8DB7125h 0x00000013 pop eax 0x00000014 mov ecx, ebx 0x00000016 push 00000003h 0x00000018 pushad 0x00000019 jmp 00007F71A8DB7124h 0x0000001e mov ebx, 2633FC54h 0x00000023 popad 0x00000024 push 00000000h 0x00000026 mov edx, dword ptr [ebp+122D2C91h] 0x0000002c push 00000003h 0x0000002e jmp 00007F71A8DB711Eh 0x00000033 mov di, 8FD1h 0x00000037 call 00007F71A8DB7119h 0x0000003c ja 00007F71A8DB7130h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F71A8DB711Dh 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1079ADB second address: 1079AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F71A8C84D46h 0x0000000a jno 00007F71A8C84D46h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1079D81 second address: 1079D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F71A8DB7116h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1079EE2 second address: 1079EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1079EE6 second address: 1079F13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB711Fh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F71A8DB7116h 0x00000012 push edi 0x00000013 pop edi 0x00000014 jnl 00007F71A8DB7116h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jnp 00007F71A8DB7116h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107A4DC second address: 107A4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F71A8C84D46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107A4E8 second address: 107A4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F71A8DB7116h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107AA8F second address: 107AAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F71A8C84D51h 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e popad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F71A8C84D46h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107AAB5 second address: 107AAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1049E18 second address: 1049E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F71A8C84D46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107B1C2 second address: 107B1CC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F71A8DB711Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107B31B second address: 107B325 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F71A8C84D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107B5E3 second address: 107B5F3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jg 00007F71A8DB7116h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107F960 second address: 107F964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107FA6C second address: 107FA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107FCF5 second address: 107FD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F71A8C84D54h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jnp 00007F71A8C84D46h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107FD1A second address: 107FD20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1082A24 second address: 1082A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F71A8C84D46h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F71A8C84D59h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1082A4C second address: 1082A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB711Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1082A5D second address: 1082A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F71A8C84D46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104BA40 second address: 104BA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8DB7128h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1083F57 second address: 1083F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104EF62 second address: 104EF66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10876C4 second address: 10876D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F71A8C84D46h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10876D0 second address: 108770F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F71A8DB7116h 0x00000008 js 00007F71A8DB7116h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F71A8DB713Bh 0x0000001a jmp 00007F71A8DB7127h 0x0000001f jmp 00007F71A8DB711Eh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1086DE9 second address: 1086E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8C84D59h 0x00000009 je 00007F71A8C84D46h 0x0000000f popad 0x00000010 push ebx 0x00000011 jmp 00007F71A8C84D4Ch 0x00000016 jnp 00007F71A8C84D46h 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1086E21 second address: 1086E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1086E27 second address: 1086E31 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1086F6D second address: 1086F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10874E9 second address: 108751E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 js 00007F71A8C84D4Ch 0x0000000d jp 00007F71A8C84D46h 0x00000013 jmp 00007F71A8C84D4Ch 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b pushad 0x0000001c popad 0x0000001d pop eax 0x0000001e jp 00007F71A8C84D4Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 pop esi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108943E second address: 1089442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1089442 second address: 1089446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108A6D2 second address: 108A6DC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F71A8DB7116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108A6DC second address: 108A6F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F71A8C84D46h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108A771 second address: 108A7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F71A8DB7116h 0x0000000a popad 0x0000000b add dword ptr [esp], 3B57AD90h 0x00000012 mov esi, 656C9809h 0x00000017 call 00007F71A8DB7119h 0x0000001c jmp 00007F71A8DB7126h 0x00000021 push eax 0x00000022 pushad 0x00000023 pushad 0x00000024 jl 00007F71A8DB7116h 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c popad 0x0000002d jmp 00007F71A8DB7128h 0x00000032 popad 0x00000033 mov eax, dword ptr [esp+04h] 0x00000037 jnp 00007F71A8DB711Eh 0x0000003d je 00007F71A8DB7118h 0x00000043 pushad 0x00000044 popad 0x00000045 mov eax, dword ptr [eax] 0x00000047 jmp 00007F71A8DB7123h 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108A7FC second address: 108A800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108A800 second address: 108A80F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F71A8DB7116h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108AE13 second address: 108AE17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108B4FF second address: 108B503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108B503 second address: 108B50D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F71A8C84D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108B50D second address: 108B512 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108B512 second address: 108B524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F71A8C84D48h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108B63C second address: 108B640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108B640 second address: 108B645 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1090A77 second address: 1090A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1091182 second address: 1091188 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1091C4D second address: 1091C6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1091C6A second address: 1091C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10926ED second address: 1092702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d jnp 00007F71A8DB7116h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1092492 second address: 1092498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10964F7 second address: 10964FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10964FB second address: 10964FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1098564 second address: 109856A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097824 second address: 109782E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F71A8C84D46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109A73D second address: 109A742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109A742 second address: 109A749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10997E3 second address: 10997F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10997F4 second address: 10998B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F71A8C84D54h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F71A8C84D48h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D1E52h], edx 0x0000002c mov dword ptr [ebp+122D5D1Ah], ebx 0x00000032 push dword ptr fs:[00000000h] 0x00000039 mov edi, eax 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov ebx, dword ptr [ebp+122D2E31h] 0x00000048 mov eax, dword ptr [ebp+122D0645h] 0x0000004e jmp 00007F71A8C84D59h 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push eax 0x00000058 call 00007F71A8C84D48h 0x0000005d pop eax 0x0000005e mov dword ptr [esp+04h], eax 0x00000062 add dword ptr [esp+04h], 00000015h 0x0000006a inc eax 0x0000006b push eax 0x0000006c ret 0x0000006d pop eax 0x0000006e ret 0x0000006f mov dword ptr [ebp+12454131h], edx 0x00000075 nop 0x00000076 jmp 00007F71A8C84D4Fh 0x0000007b push eax 0x0000007c pushad 0x0000007d jno 00007F71A8C84D4Ch 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10998B9 second address: 10998BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109B840 second address: 109B844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109B844 second address: 109B84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109B84A second address: 109B851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109E79F second address: 109E7A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109E7A4 second address: 109E7AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A0910 second address: 10A092C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F71A8DB7128h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A092C second address: 10A09A1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F71A8C84D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jng 00007F71A8C84D4Ch 0x00000015 mov dword ptr [ebp+122D1E09h], esi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F71A8C84D48h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 movsx ebx, bx 0x0000003a mov dword ptr [ebp+122D1FA2h], eax 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007F71A8C84D48h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c je 00007F71A8C84D4Ch 0x00000062 mov dword ptr [ebp+122D3234h], esi 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A09A1 second address: 10A09A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109E9AC second address: 109E9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109E9B0 second address: 109E9B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A19D6 second address: 10A19DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A19DB second address: 10A1A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8DB7126h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F71A8DB711Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A0B11 second address: 10A0BC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007F71A8C84D4Fh 0x0000000f and edi, 7193D521h 0x00000015 pop ebx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov bl, cl 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 jmp 00007F71A8C84D56h 0x0000002b mov eax, dword ptr [ebp+122D16F5h] 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F71A8C84D48h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b push edi 0x0000004c ja 00007F71A8C84D53h 0x00000052 pop edi 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ecx 0x00000058 call 00007F71A8C84D48h 0x0000005d pop ecx 0x0000005e mov dword ptr [esp+04h], ecx 0x00000062 add dword ptr [esp+04h], 00000019h 0x0000006a inc ecx 0x0000006b push ecx 0x0000006c ret 0x0000006d pop ecx 0x0000006e ret 0x0000006f xor dword ptr [ebp+12489C2Eh], esi 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 push ecx 0x00000079 pushad 0x0000007a popad 0x0000007b pop ecx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A1A08 second address: 10A1A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A2B03 second address: 10A2B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A1BA0 second address: 10A1BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A2B07 second address: 10A2B24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A2B24 second address: 10A2B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8DB7129h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A2B42 second address: 10A2B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A2B48 second address: 10A2B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A2C93 second address: 10A2CB5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F71A8C84D53h 0x00000008 jmp 00007F71A8C84D4Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F71A8C84D48h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A3B80 second address: 10A3B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A3B84 second address: 10A3B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A5A65 second address: 10A5A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ACF2F second address: 10ACF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ACF34 second address: 10ACF3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ACF3A second address: 10ACF3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ACF3E second address: 10ACF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ACF4D second address: 10ACF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ACF53 second address: 10ACF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ACF57 second address: 10ACF5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B16F0 second address: 10B171A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7126h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F71A8DB7124h 0x00000010 pushad 0x00000011 jc 00007F71A8DB7116h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B182E second address: 10B1857 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F71A8C84D4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F71A8C84D55h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B1857 second address: 10B1876 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F71A8DB7121h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B1876 second address: 10B188A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B188A second address: 10B189D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F71A8DB7116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B189D second address: 10B18A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B18A1 second address: 10B18BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B18BC second address: 10B18E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F71A8C84D57h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1044C09 second address: 1044C21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7123h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1044C21 second address: 1044C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B8B13 second address: 10B8B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B8B19 second address: 10B8B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B8B1F second address: 10B8B37 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F71A8DB7116h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F71A8DB711Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B8B37 second address: 10B8B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B8B3B second address: 10B8B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8DB711Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F71A8DB7122h 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B8B65 second address: 10B8B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F71A8C84D54h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B9608 second address: 10B962A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F71A8DB711Ch 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 ja 00007F71A8DB7120h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B98EF second address: 10B9922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F71A8C84D51h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F71A8C84D56h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B9922 second address: 10B992A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B9AB7 second address: 10B9ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B9ABD second address: 10B9AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10BD10A second address: 10BD129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007F71A8C84D46h 0x0000000b jo 00007F71A8C84D46h 0x00000011 jmp 00007F71A8C84D4Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C1598 second address: 10C159C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C159C second address: 10C15C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jg 00007F71A8C84D65h 0x0000000d push ebx 0x0000000e jmp 00007F71A8C84D4Fh 0x00000013 jnl 00007F71A8C84D46h 0x00000019 pop ebx 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C12CB second address: 10C12CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C24C1 second address: 10C24C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C24C8 second address: 10C24EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7129h 0x00000007 ja 00007F71A8DB7122h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109386B second address: 1093931 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F71A8C84D4Ch 0x00000008 jng 00007F71A8C84D46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 push esi 0x00000012 or dword ptr [ebp+1248324Bh], ecx 0x00000018 pop ecx 0x00000019 push dword ptr fs:[00000000h] 0x00000020 movzx edx, si 0x00000023 jmp 00007F71A8C84D4Fh 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f mov dword ptr [ebp+12459779h], ecx 0x00000035 mov ecx, dword ptr [ebp+122D277Eh] 0x0000003b mov dword ptr [ebp+12493516h], esp 0x00000041 and dx, C027h 0x00000046 cmp dword ptr [ebp+122D2CE9h], 00000000h 0x0000004d jne 00007F71A8C84E28h 0x00000053 call 00007F71A8C84D51h 0x00000058 or dword ptr [ebp+122D3AB2h], edi 0x0000005e pop ecx 0x0000005f mov byte ptr [ebp+122D1E4Dh], 00000047h 0x00000066 push 00000000h 0x00000068 push ebp 0x00000069 call 00007F71A8C84D48h 0x0000006e pop ebp 0x0000006f mov dword ptr [esp+04h], ebp 0x00000073 add dword ptr [esp+04h], 00000017h 0x0000007b inc ebp 0x0000007c push ebp 0x0000007d ret 0x0000007e pop ebp 0x0000007f ret 0x00000080 mov edx, dword ptr [ebp+122D38DCh] 0x00000086 jl 00007F71A8C84D46h 0x0000008c or dx, C7DBh 0x00000091 mov eax, D49AA7D2h 0x00000096 mov ecx, dword ptr [ebp+1248310Bh] 0x0000009c push eax 0x0000009d pushad 0x0000009e push eax 0x0000009f push edx 0x000000a0 jmp 00007F71A8C84D4Bh 0x000000a5 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1093C55 second address: 1093C66 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F71A8DB7116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1093C66 second address: 1093C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1093E02 second address: 1093E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1093E06 second address: 1093E1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1093E1F second address: 1093E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F71A8DB7129h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109407A second address: 1094093 instructions: 0x00000000 rdtsc 0x00000002 je 00007F71A8C84D48h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F71A8C84D4Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109419D second address: 10941C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F71A8DB7127h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10942F0 second address: 1094345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F71A8C84D48h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D28C6h], edi 0x00000029 push 00000004h 0x0000002b pushad 0x0000002c jmp 00007F71A8C84D4Eh 0x00000031 popad 0x00000032 mov edi, edx 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 jmp 00007F71A8C84D50h 0x0000003d pop esi 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094345 second address: 1094373 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F71A8DB7123h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F71A8DB7122h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094373 second address: 1094378 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094B38 second address: 1094BB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F71A8DB7118h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D1C62h], edi 0x0000002d movsx edi, ax 0x00000030 mov dx, 6900h 0x00000034 lea eax, dword ptr [ebp+12493502h] 0x0000003a sub dword ptr [ebp+122D3C10h], edx 0x00000040 nop 0x00000041 jmp 00007F71A8DB7121h 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jnl 00007F71A8DB7118h 0x0000004f push eax 0x00000050 pop eax 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094BB2 second address: 1094BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a or dword ptr [ebp+122D1C06h], edx 0x00000010 lea eax, dword ptr [ebp+124934BEh] 0x00000016 pushad 0x00000017 xor dword ptr [ebp+124597C0h], ecx 0x0000001d mov dword ptr [ebp+122D31CDh], edi 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094BEE second address: 1094BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094BF3 second address: 1094BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094BF9 second address: 10707AE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F71A8DB7116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F71A8DB7118h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov dword ptr [ebp+12483258h], ebx 0x0000002f call dword ptr [ebp+12454833h] 0x00000035 pushad 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CAF03 second address: 10CAF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F71A8C84D46h 0x0000000a jnc 00007F71A8C84D46h 0x00000010 popad 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jne 00007F71A8C84D46h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CB06D second address: 10CB073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CB1FB second address: 10CB203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D049B second address: 10D04A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D04A1 second address: 10D04A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D0D18 second address: 10D0D29 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F71A8DB7116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D0D29 second address: 10D0D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F71A8C84D53h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D0D43 second address: 10D0D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CFEC7 second address: 10CFED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F71A8C84D46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CFED1 second address: 10CFF34 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F71A8DB7131h 0x0000000c pop edi 0x0000000d pushad 0x0000000e jmp 00007F71A8DB7123h 0x00000013 jc 00007F71A8DB7128h 0x00000019 jmp 00007F71A8DB7122h 0x0000001e jmp 00007F71A8DB711Bh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D317C second address: 10D3183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D5F8B second address: 10D5F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D5CBF second address: 10D5CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D5CC5 second address: 10D5CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8DB7129h 0x00000009 popad 0x0000000a pushad 0x0000000b jne 00007F71A8DB7116h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D8940 second address: 10D8969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F71A8C84D57h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c js 00007F71A8C84D46h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D8969 second address: 10D896D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D8DB4 second address: 10D8DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DE4DD second address: 10DE4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DE69A second address: 10DE69E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DE7DD second address: 10DE7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DE7E6 second address: 10DE7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DE7EA second address: 10DE7FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F71A8DB711Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DF366 second address: 10DF385 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F71A8C84D4Fh 0x00000008 jng 00007F71A8C84D46h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DF385 second address: 10DF39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F71A8DB711Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E297D second address: 10E29A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F71A8C84D4Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F71A8C84D57h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E2C0E second address: 10E2C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E2C14 second address: 10E2C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F71A8C84D59h 0x0000000c jmp 00007F71A8C84D53h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E2C47 second address: 10E2C52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F71A8DB7116h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E2ED6 second address: 10E2EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8C84D4Ch 0x00000009 pop eax 0x0000000a jng 00007F71A8C84D5Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E2EF1 second address: 10E2EFB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F71A8DB7116h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E7056 second address: 10E705E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E705E second address: 10E7064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E680D second address: 10E681F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnp 00007F71A8C84D46h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E681F second address: 10E6825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6825 second address: 10E6833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F71A8C84D46h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6833 second address: 10E6839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6994 second address: 10E69B0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F71A8C84D46h 0x00000008 jmp 00007F71A8C84D4Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6B09 second address: 10E6B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F71A8DB711Ch 0x0000000a jp 00007F71A8DB711Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE693 second address: 10EE6A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007F71A8C84D46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F71A8C84D46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE6A7 second address: 10EE6B1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F71A8DB7116h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE6B1 second address: 10EE6BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE6BB second address: 10EE6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE6BF second address: 10EE6C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE6C3 second address: 10EE6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F71A8DB7129h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE6E5 second address: 10EE6F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F71A8C84D4Ch 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE6F7 second address: 10EE719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7124h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F71A8DB7116h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE719 second address: 10EE71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC773 second address: 10EC798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007F71A8DB711Eh 0x0000000b jnp 00007F71A8DB7118h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F71A8DB7116h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC90C second address: 10EC915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC915 second address: 10EC91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC91B second address: 10EC91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC91F second address: 10EC923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC923 second address: 10EC929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC929 second address: 10EC94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jg 00007F71A8DB7116h 0x0000000f pop edi 0x00000010 popad 0x00000011 jo 00007F71A8DB7136h 0x00000017 jng 00007F71A8DB7118h 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ECAC1 second address: 10ECAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ECAC5 second address: 10ECAC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED099 second address: 10ED09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED09D second address: 10ED0CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7121h 0x00000007 jnc 00007F71A8DB7116h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F71A8DB711Fh 0x00000014 jo 00007F71A8DB711Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED8D9 second address: 10ED8F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F71A8C84D78h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED8F2 second address: 10ED912 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F71A8DB7126h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED912 second address: 10ED916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED916 second address: 10ED91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EDBDB second address: 10EDBEF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F71A8C84D46h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jno 00007F71A8C84D46h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EDE7A second address: 10EDE7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EDE7E second address: 10EDEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F71A8C84D46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F71A8C84D58h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2486 second address: 10F248C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2A52 second address: 10F2A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2A56 second address: 10F2A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F71A8DB7120h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2A73 second address: 10F2A7F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F71A8C84D46h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2D72 second address: 10F2D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F71A8DB711Dh 0x0000000e push esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2EF1 second address: 10F2EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2EF7 second address: 10F2F06 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F71A8DB7116h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2F06 second address: 10F2F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8C84D52h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F309A second address: 10F30BF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F71A8DB7128h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F30BF second address: 10F30C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F7CDF second address: 10F7CE5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F7CE5 second address: 10F7CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F7CEF second address: 10F7CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F7CF5 second address: 10F7CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F7CF9 second address: 10F7D14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F71A8DB7116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F71A8DB711Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FF002 second address: 10FF006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FF006 second address: 10FF019 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB711Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FF019 second address: 10FF01F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FFEB1 second address: 10FFEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FFEB5 second address: 10FFEBE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FFEBE second address: 10FFECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F71A8DB7116h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FFECB second address: 10FFED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FFED1 second address: 10FFED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11070EC second address: 11070F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11070F0 second address: 11070F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1106C9A second address: 1106CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1106E2C second address: 1106E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1106E32 second address: 1106E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11151CC second address: 1115211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F71A8DB7128h 0x0000000a jc 00007F71A8DB712Ah 0x00000010 jmp 00007F71A8DB7124h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F71A8DB711Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1116EE2 second address: 1116F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F71A8C84D4Eh 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F71A8C84D46h 0x00000012 push esi 0x00000013 jnl 00007F71A8C84D46h 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F71A8C84D46h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1116D41 second address: 1116D4F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F71A8DB7116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1116D4F second address: 1116D59 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F71A8C84D46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1116D59 second address: 1116D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A576 second address: 111A57A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A0FE second address: 111A104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A104 second address: 111A10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A10C second address: 111A113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A113 second address: 111A11B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A11B second address: 111A11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A11F second address: 111A18C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F71A8C84D46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F71A8C84D78h 0x00000016 jmp 00007F71A8C84D59h 0x0000001b jmp 00007F71A8C84D59h 0x00000020 pushad 0x00000021 jg 00007F71A8C84D46h 0x00000027 pushad 0x00000028 popad 0x00000029 jc 00007F71A8C84D46h 0x0000002f jmp 00007F71A8C84D55h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A18C second address: 111A191 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111A191 second address: 111A197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111EFB7 second address: 111EFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111EFBB second address: 111EFBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111EFBF second address: 111EFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1124736 second address: 112473A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11321FF second address: 1132204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1130ABF second address: 1130AD6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F71A8C84D51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1130AD6 second address: 1130ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1130ADE second address: 1130AEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 je 00007F71A8C84D46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1130F30 second address: 1130F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11310D6 second address: 11310F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jg 00007F71A8C84D4Ah 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jne 00007F71A8C84D4Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11313FC second address: 1131402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1135E75 second address: 1135E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1135E7C second address: 1135E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F71A8DB7116h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1135E88 second address: 1135E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11437DE second address: 1143810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F71A8DB7127h 0x00000009 jmp 00007F71A8DB7122h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1143810 second address: 1143814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1143814 second address: 1143818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1171C70 second address: 1171C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11713B4 second address: 11713BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11716CA second address: 11716E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F71A8C84D56h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1171977 second address: 117197C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1174872 second address: 11748DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F71A8C84D4Eh 0x0000000d push eax 0x0000000e jg 00007F71A8C84D46h 0x00000014 pop eax 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F71A8C84D48h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 jno 00007F71A8C84D4Ch 0x00000036 push 00000004h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F71A8C84D48h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 push 49AD2752h 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11748DB second address: 11748E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11748E0 second address: 11748E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11775AB second address: 11775B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11775B1 second address: 11775B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0C8E second address: 54E0CDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F71A8DB7123h 0x00000014 jmp 00007F71A8DB7123h 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0CDA second address: 54E0CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0CDF second address: 54E0CFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB711Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax+00000860h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0CFE second address: 54E0D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0D02 second address: 54E0D1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8DB7127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0D1D second address: 54E0D6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F71A8C84D59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F71A8C84D4Eh 0x00000010 je 00007F721A0DAD5Bh 0x00000016 jmp 00007F71A8C84D50h 0x0000001b test byte ptr [eax+04h], 00000005h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov edx, 1D5EA820h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108D6DA second address: 108D6E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 107F9E4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: ED1402 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 10938B6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 110CD4A instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5584 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2165792512.000000000105F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2166326891.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2166326891.000000000177E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2165792512.000000000105F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.2166326891.00000000017D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn%V
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB5BB0 LdrInitializeThunk, 0_2_00EB5BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: bathdoomgaz.stor
Source: file.exe String found in binary or memory: spirittunek.stor
Source: file.exe String found in binary or memory: dissapoiznw.stor
Source: file.exe String found in binary or memory: studennotediw.stor
Source: file.exe String found in binary or memory: mobbipenju.stor
Source: file.exe String found in binary or memory: eaglepawnoy.stor
Source: file.exe, 00000000.00000002.2165932651.00000000010A6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6'Program Manager
Source: file.exe Binary or memory string: C6'Program Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538062 Sample: file.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 10 studennotediw.store 2->10 12 steamcommunity.com 2->12 14 8 other IPs or domains 2->14 20 Multi AV Scanner detection for domain / URL 2->20 22 Suricata IDS alerts for network traffic 2->22 24 Found malware configuration 2->24 26 10 other signatures 2->26 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 steamcommunity.com 104.102.49.254, 443, 49699 AKAMAI-ASUS United States 6->16 18 sergei-esenin.com 172.67.206.204, 443, 49700 CLOUDFLARENETUS United States 6->18 28 Detected unpacking (changes PE section rights) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 Tries to evade debugger and weak emulator (self modifying code) 6->32 34 4 other signatures 6->34 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
sergei-esenin.com 172.67.206.204 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
bathdoomgaz.store true
    		unknown
    studennotediw.store true
      		unknown
      clearancek.site true
        		unknown
        dissapoiznw.store true
          		unknown
          https://steamcommunity.com/profiles/76561199724331900 true
            		unknown
            spirittunek.store true
              		unknown
              licendfilteo.site true
                		unknown
                eaglepawnoy.store true
                  		unknown
                  mobbipenju.store true
                    		unknown