Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1540590
MD5: 07fb99b5324ed101f9ee2b563c5a7b21
SHA1: 5a88bfb58a261299919f42446ca2fba32a6366ea
SHA256: 89ab0e926d3c2d8502322e7c325b2d0b978a65ce075868f63280636ebeb932aa
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: file.exe Avira: detected
Source: file.exe.5908.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "licendfilteo.site", "eaglepawnoy.store", "dissapoiznw.store", "spirittunek.store", "bathdoomgaz.store", "studennotediw.store", "mobbipenju.store"], "Build id": "BRx--R"}
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: file.exe Joe Sandbox ML: detected
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.store
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.store
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.store
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.store
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.store
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.store
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2081358355.00000000001A1000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E50FA
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001AD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001AD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_001E63B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_001E695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_001E99D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_001AFCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_001B0EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_001A1000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_001DF030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_001B6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_001E4040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_001E6094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_001CD1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_001C2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_001C2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_001B42FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_001AA300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_001BB410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_001CE40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_001BD457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_001E1440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_001CC470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_001E64B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_001C9510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_001B6536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_001E7520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 0_2_001A8590
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_001DB650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_001CE66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_001E7710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E5700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_001CD7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_001E67EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_001C28E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_001E3920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_001BD961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_001A49A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_001B1A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_001A5A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_001E4A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_001B1ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_001BDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_001BDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_001E9B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_001D0B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_001B1BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_001B3BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_001C7C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_001DFC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_001CEC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_001CAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_001CAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_001CCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001CCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_001CCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_001E9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_001CFD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_001CDD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E8D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_001B4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_001CAE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001C5E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_001C7E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_001B1E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_001B6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_001ABEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_001A6EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001DFF70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_001C9F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_001B6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_001BFFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_001E5FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_001A8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_001E7FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_001E7FC0

Networking

barindex
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:65192 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:58849 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:56640 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:53078 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:57772 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:61652 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:59962 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:52182 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 104.102.49.254:443
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb9e7f3651c38ac41ccf738a8ba3498dc; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=74a3572305bfc63debaa5668; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 23 Oct 2024 21:53:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2080904765.00000000013D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/6
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2080904765.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000002.2082369029.0000000001390000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080904765.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/765611997243319002
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2082369029.0000000001390000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080904765.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/zI9
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2080904765.00000000013D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb9e7f3651c38ac4
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082248642.0000000001373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2080864927.000000000140F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080904765.0000000001378000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080864927.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000002.2082441705.00000000013D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

barindex
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B0228 0_2_001B0228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A1000 0_2_001A1000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B2030 0_2_001B2030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 0_2_0036F065
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E4040 0_2_001E4040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001EA0D0 0_2_001EA0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00255108 0_2_00255108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A5160 0_2_001A5160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00279188 0_2_00279188
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AE1A0 0_2_001AE1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003741E9 0_2_003741E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A71F0 0_2_001A71F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D82D0 0_2_001D82D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D12D0 0_2_001D12D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A12F7 0_2_001A12F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AA300 0_2_001AA300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A13A3 0_2_001A13A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AB3A0 0_2_001AB3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D23E0 0_2_001D23E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CC470 0_2_001CC470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B049B 0_2_001B049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B4487 0_2_001B4487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D64F0 0_2_001D64F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A8590 0_2_001A8590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A35B0 0_2_001A35B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001BC5F0 0_2_001BC5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00379630 0_2_00379630
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036D619 0_2_0036D619
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001DF620 0_2_001DF620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E8652 0_2_001E8652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00372679 0_2_00372679
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A164F 0_2_001A164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E86F0 0_2_001E86F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00223713 0_2_00223713
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AA850 0_2_001AA850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D1860 0_2_001D1860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00377890 0_2_00377890
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001DE8A0 0_2_001DE8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001DB8C0 0_2_001DB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001C098B 0_2_001C098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E89A0 0_2_001E89A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0035F9CC 0_2_0035F9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E4A40 0_2_001E4A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036BAB4 0_2_0036BAB4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E8A80 0_2_001E8A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E7AB0 0_2_001E7AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00370B34 0_2_00370B34
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001BDB6F 0_2_001BDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A7BF0 0_2_001A7BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002D5BC3 0_2_002D5BC3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E8C02 0_2_001E8C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E6CBF 0_2_001E6CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CCCD0 0_2_001CCCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CFD10 0_2_001CFD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CDD29 0_2_001CDD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001C8D62 0_2_001C8D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B4E2A 0_2_001B4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001CAE57 0_2_001CAE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E8E70 0_2_001E8E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001B6EBF 0_2_001B6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001ABEB0 0_2_001ABEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001AAF10 0_2_001AAF10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00375F4F 0_2_00375F4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001A8FD0 0_2_001A8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E7FC0 0_2_001E7FC0
Source: C:\Users\user\Desktop\file.exe Code function: String function: 001BD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 001ACAA0 appears 48 times
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9995616749174917
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@9/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D8220 CoCreateInstance, 0_2_001D8220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: file.exe Static file information: File size 2971136 > 1048576
Source: file.exe Static PE information: Raw size of gffzywxl is bigger than: 0x100000 < 0x2ac000

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.1a0000.0.unpack :EW;.rsrc :W;.idata :W;gffzywxl:EW;qbkarait:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;gffzywxl:EW;qbkarait:EW;.taggant:EW;
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: file.exe Static PE information: real checksum: 0x2da93d should be: 0x2db35b
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: gffzywxl
Source: file.exe Static PE information: section name: qbkarait
Source: file.exe Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 5EF95320h; mov dword ptr [esp], ebp 0_2_0036F081
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebp; mov dword ptr [esp], ecx 0_2_0036F0E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push eax; mov dword ptr [esp], edx 0_2_0036F11E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebp; mov dword ptr [esp], eax 0_2_0036F147
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push edi; mov dword ptr [esp], 79FF7C40h 0_2_0036F1A2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push edx; mov dword ptr [esp], 4DE6E845h 0_2_0036F206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push esi; mov dword ptr [esp], 731279F5h 0_2_0036F293
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebx; mov dword ptr [esp], 77FF8055h 0_2_0036F2E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebp; mov dword ptr [esp], 2BA30CE1h 0_2_0036F310
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 6A7626AEh; mov dword ptr [esp], edi 0_2_0036F360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 0BC1E46Eh; mov dword ptr [esp], esi 0_2_0036F431
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebp; mov dword ptr [esp], 2DEACA22h 0_2_0036F435
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebx; mov dword ptr [esp], 4674EF03h 0_2_0036F48A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 738E5470h; mov dword ptr [esp], esp 0_2_0036F49C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 3ED39A13h; mov dword ptr [esp], ecx 0_2_0036F530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 3F00ADA3h; mov dword ptr [esp], ebp 0_2_0036F5BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 06FFDCF0h; mov dword ptr [esp], ebp 0_2_0036F5CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push esi; mov dword ptr [esp], eax 0_2_0036F61B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebp; mov dword ptr [esp], ecx 0_2_0036F7DD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebx; mov dword ptr [esp], eax 0_2_0036F816
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push esi; mov dword ptr [esp], 76F6AEF3h 0_2_0036F827
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 63E7F822h; mov dword ptr [esp], ebp 0_2_0036F8E1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 1583E300h; mov dword ptr [esp], esp 0_2_0036F8EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push edi; mov dword ptr [esp], esp 0_2_0036F911
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 7918A7F2h; mov dword ptr [esp], ebp 0_2_0036F94A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 3732026Fh; mov dword ptr [esp], esi 0_2_0036F9FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 1AB9DEBDh; mov dword ptr [esp], ebx 0_2_0036FAD7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push ebp; mov dword ptr [esp], ecx 0_2_0036FBA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push 0DECDB5Ch; mov dword ptr [esp], esi 0_2_0036FBDB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push edi; mov dword ptr [esp], ecx 0_2_0036FBEE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0036F065 push edx; mov dword ptr [esp], edi 0_2_0036FC15
Source: file.exe Static PE information: section name: entropy: 7.985961036007736

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 203CB8 second address: 203CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 203CD3 second address: 203CD8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 380196 second address: 3801A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38045D second address: 380461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 381F41 second address: 381F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 381F45 second address: 381F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 381F49 second address: 381F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 381F53 second address: 381FC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F1F41150C3Ch 0x0000000e push edx 0x0000000f jmp 00007F1F41150C34h 0x00000014 pop edx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F1F41150C28h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 push 00000000h 0x00000032 call 00007F1F41150C2Dh 0x00000037 mov esi, dword ptr [ebp+122D2B55h] 0x0000003d pop edx 0x0000003e call 00007F1F41150C29h 0x00000043 push eax 0x00000044 push edx 0x00000045 jl 00007F1F41150C2Ch 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 381FC5 second address: 381FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 381FC9 second address: 381FCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 381FCF second address: 382002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB135Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d jmp 00007F1F40FB135Bh 0x00000012 pop edi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 push edi 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e jng 00007F1F40FB1356h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 382002 second address: 38201D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38201D second address: 382025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 382025 second address: 382089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jng 00007F1F41150C2Ah 0x00000012 push esi 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop eax 0x00000017 xor dword ptr [ebp+122D2521h], esi 0x0000001d push 00000003h 0x0000001f xor edx, 1AA70AF0h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007F1F41150C28h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov cx, di 0x00000044 push 00000003h 0x00000046 add cx, 03C8h 0x0000004b xor dword ptr [ebp+122D1E1Fh], esi 0x00000051 call 00007F1F41150C29h 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 382089 second address: 38208D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38208D second address: 3820AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F1F41150C26h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3820AC second address: 3820C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jo 00007F1F40FB1360h 0x0000000f jmp 00007F1F40FB135Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3820C9 second address: 3820DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F1F41150C26h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3820DE second address: 3820E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3820E2 second address: 3820E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3820E8 second address: 382174 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1F40FB1361h 0x00000008 jmp 00007F1F40FB135Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F1F40FB1366h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jmp 00007F1F40FB135Eh 0x0000001f pop eax 0x00000020 call 00007F1F40FB1369h 0x00000025 mov dword ptr [ebp+122D2285h], edi 0x0000002b pop ecx 0x0000002c movsx esi, cx 0x0000002f lea ebx, dword ptr [ebp+12451DE2h] 0x00000035 mov dword ptr [ebp+122D399Fh], edi 0x0000003b xchg eax, ebx 0x0000003c jmp 00007F1F40FB135Dh 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F1F40FB135Bh 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 382174 second address: 38217D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38221B second address: 3822A6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1F40FB1356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jng 00007F1F40FB1356h 0x00000013 popad 0x00000014 popad 0x00000015 xor dword ptr [esp], 4D981CCDh 0x0000001c jmp 00007F1F40FB1366h 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push edx 0x00000026 call 00007F1F40FB1358h 0x0000002b pop edx 0x0000002c mov dword ptr [esp+04h], edx 0x00000030 add dword ptr [esp+04h], 0000001Dh 0x00000038 inc edx 0x00000039 push edx 0x0000003a ret 0x0000003b pop edx 0x0000003c ret 0x0000003d pushad 0x0000003e sub dword ptr [ebp+122D1DD4h], edi 0x00000044 mov dx, 105Dh 0x00000048 popad 0x00000049 push 00000000h 0x0000004b movzx esi, cx 0x0000004e pushad 0x0000004f mov ecx, dword ptr [ebp+122D2E2Ah] 0x00000055 adc bx, 78C4h 0x0000005a popad 0x0000005b push 00000003h 0x0000005d call 00007F1F40FB1359h 0x00000062 jl 00007F1F40FB135Eh 0x00000068 push esi 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3822A6 second address: 3822BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3822BE second address: 3822D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F1F40FB135Bh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3822D9 second address: 3822EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1F41150C28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3823D2 second address: 3823D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3823D6 second address: 382438 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1F41150C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F1F41150C38h 0x00000010 pop esi 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 pushad 0x00000016 clc 0x00000017 mov ecx, edi 0x00000019 popad 0x0000001a push 00000000h 0x0000001c call 00007F1F41150C38h 0x00000021 pushad 0x00000022 mov al, dh 0x00000024 mov dword ptr [ebp+122D1BF4h], edi 0x0000002a popad 0x0000002b pop edx 0x0000002c mov dword ptr [ebp+122D39A9h], edi 0x00000032 push 732AC36Ch 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 382438 second address: 38243C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38243C second address: 382446 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 382446 second address: 3824AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 732AC3ECh 0x00000011 mov dword ptr [ebp+122D377Eh], edi 0x00000017 push 00000003h 0x00000019 mov edx, dword ptr [ebp+122D2E01h] 0x0000001f push 00000000h 0x00000021 jmp 00007F1F40FB135Eh 0x00000026 mov esi, dword ptr [ebp+122D2DD1h] 0x0000002c push 00000003h 0x0000002e ja 00007F1F40FB135Bh 0x00000034 push DF016A70h 0x00000039 jbe 00007F1F40FB1368h 0x0000003f push eax 0x00000040 push edx 0x00000041 jo 00007F1F40FB1356h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3824AB second address: 3824AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1852 second address: 3A1857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1857 second address: 3A1880 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1F41150C2Ch 0x00000008 jg 00007F1F41150C26h 0x0000000e jnp 00007F1F41150C34h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1880 second address: 3A1886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1886 second address: 3A18AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C36h 0x00000009 popad 0x0000000a jmp 00007F1F41150C2Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A19E6 second address: 3A19EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1B53 second address: 3A1B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1B58 second address: 3A1B62 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1F40FB136Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1E28 second address: 3A1E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1E2C second address: 3A1E4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1368h 0x00000007 jc 00007F1F40FB1356h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1E4E second address: 3A1E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1E53 second address: 3A1E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1E59 second address: 3A1E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2130 second address: 3A2136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2136 second address: 3A2145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F1F41150C26h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2145 second address: 3A214B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A214B second address: 3A2166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b jmp 00007F1F41150C2Bh 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2166 second address: 3A216A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A216A second address: 3A217E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F1F41150C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F1F41150C26h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A217E second address: 3A218E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jne 00007F1F40FB1356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A218E second address: 3A21A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A28D6 second address: 3A28DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A28DC second address: 3A28E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A28E0 second address: 3A28E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A28E4 second address: 3A2906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F1F41150C34h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2906 second address: 3A290C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A290C second address: 3A2918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2A78 second address: 3A2A7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A2A7C second address: 3A2A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 398568 second address: 39856C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 375811 second address: 37581E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1F41150C26h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37581E second address: 37582A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007F1F40FB1356h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3315 second address: 3A3319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3319 second address: 3A331E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A331E second address: 3A3358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F1F41150C38h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b push edi 0x0000001c je 00007F1F41150C26h 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A3358 second address: 3A335C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A34BC second address: 3A34C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A34C0 second address: 3A34C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8C77 second address: 3A8C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8DD0 second address: 3A8DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8DD4 second address: 3A8DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8DD8 second address: 3A8DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F1F40FB135Fh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 js 00007F1F40FB1360h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8DFC second address: 3A8E1E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1F41150C38h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8E1E second address: 3A8E24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A75DF second address: 3A75E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A7D2D second address: 3A7D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8EEE second address: 3A8EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8EF2 second address: 3A8EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8EF6 second address: 3A8EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8EFC second address: 3A8F01 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8F01 second address: 3A8F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A8F0D second address: 3A8F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1F40FB1356h 0x0000000a popad 0x0000000b jmp 00007F1F40FB1368h 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push edi 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AA1A7 second address: 3AA1AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AA1AD second address: 3AA1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AA1B3 second address: 3AA1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AED57 second address: 3AED5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE11B second address: 3AE121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE121 second address: 3AE126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE126 second address: 3AE142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007F1F41150C26h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push edi 0x0000001a pop edi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE478 second address: 3AE4A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1365h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1F40FB1360h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE4A3 second address: 3AE4A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE4A7 second address: 3AE4C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1367h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE5F4 second address: 3AE5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE5FA second address: 3AE5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE914 second address: 3AE930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F1F41150C2Eh 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEBC9 second address: 3AEBDA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007F1F40FB1356h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEBDA second address: 3AEBE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F1F41150C26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEBE9 second address: 3AEBF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEBF6 second address: 3AEC14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C39h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEC14 second address: 3AEC29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1F40FB135Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B0B46 second address: 3B0B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B0D94 second address: 3B0D9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B10C4 second address: 3B10D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F1F41150C2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B14CB second address: 3B14CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B14CF second address: 3B14D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1582 second address: 3B1586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1586 second address: 3B15AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F1F41150C30h 0x00000013 xchg eax, ebx 0x00000014 nop 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B15AB second address: 3B15AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1660 second address: 3B1665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1665 second address: 3B1675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F40FB135Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1675 second address: 3B1679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1861 second address: 3B1867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1A3B second address: 3B1A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B1A41 second address: 3B1A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B2C55 second address: 3B2C5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B3CB6 second address: 3B3CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B47BF second address: 3B47C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B7FFA second address: 3B8009 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B8009 second address: 3B800D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B800D second address: 3B8013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372141 second address: 372168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F1F41150C26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 372168 second address: 37218F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB135Ch 0x00000007 jmp 00007F1F40FB1362h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BAA30 second address: 3BAA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE212 second address: 3BE216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C07F8 second address: 3C0813 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C0813 second address: 3C081D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F1F40FB1356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C23FD second address: 3C2407 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1F41150C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C33F9 second address: 3C33FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C33FD second address: 3C3403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C3403 second address: 3C3482 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F1F40FB1363h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jns 00007F1F40FB136Eh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F1F40FB1358h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d call 00007F1F40FB135Ah 0x00000032 mov bx, 1071h 0x00000036 pop edi 0x00000037 push ecx 0x00000038 and bl, FFFFFFA0h 0x0000003b pop edi 0x0000003c push 00000000h 0x0000003e xor edi, 5A67D631h 0x00000044 push 00000000h 0x00000046 mov dword ptr [ebp+122D348Bh], ecx 0x0000004c xchg eax, esi 0x0000004d pushad 0x0000004e push ecx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C3482 second address: 3C348F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F1F41150C26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C25AA second address: 3C264B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1F40FB1362h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1F40FB1364h 0x00000010 nop 0x00000011 mov ebx, dword ptr [ebp+122D3968h] 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov dword ptr [ebp+122D2285h], edi 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov bx, 2DE0h 0x0000002f mov eax, dword ptr [ebp+122D03A1h] 0x00000035 js 00007F1F40FB135Bh 0x0000003b push FFFFFFFFh 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F1F40FB1358h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 0000001Dh 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 or dword ptr [ebp+122D39A9h], ecx 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F1F40FB1366h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C4390 second address: 3C439C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C439C second address: 3C43A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C36D6 second address: 3C36DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C5315 second address: 3C531B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C531B second address: 3C5334 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1F41150C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jnp 00007F1F41150C26h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C72EC second address: 3C7306 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1F40FB1362h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C843B second address: 3C8441 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C7554 second address: 3C7565 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1F40FB1356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C7565 second address: 3C756A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CA560 second address: 3CA58C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007F1F40FB135Dh 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1F40FB1361h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CB74B second address: 3CB74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CD6C9 second address: 3CD6EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1F40FB1368h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CC8EC second address: 3CC8F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CC9D8 second address: 3CCA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F40FB1369h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F1F40FB1360h 0x00000013 jmp 00007F1F40FB135Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CEB13 second address: 3CEB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CEB17 second address: 3CEB1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CD7EF second address: 3CD7FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CD8A4 second address: 3CD8C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CD8C1 second address: 3CD8C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CD8C7 second address: 3CD8CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D578B second address: 3D5793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4EB7 second address: 3D4EC0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D5037 second address: 3D5043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1F41150C26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D5043 second address: 3D5054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a jg 00007F1F40FB1356h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D5054 second address: 3D506D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F1F41150C32h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D51F6 second address: 3D5202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1F40FB1356h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D5202 second address: 3D520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D520D second address: 3D5211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D5211 second address: 3D5217 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D5380 second address: 3D5398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F1F40FB1356h 0x00000009 jmp 00007F1F40FB135Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DA513 second address: 3DA540 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1F41150C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jo 00007F1F41150C26h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F1F41150C2Bh 0x00000024 push edx 0x00000025 pop edx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DA540 second address: 3DA554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB135Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DA6F5 second address: 3DA738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jp 00007F1F41150C38h 0x0000000c pushad 0x0000000d jmp 00007F1F41150C2Eh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jmp 00007F1F41150C39h 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 pop edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DA8CD second address: 3DA8D7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1F40FB1356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DA8D7 second address: 3DA8DC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E158E second address: 3E159C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1F40FB1356h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E08D0 second address: 3E08D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E0EE7 second address: 3E0EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E0EEB second address: 3E0F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C35h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F1F41150C2Ch 0x00000011 jc 00007F1F41150C26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E0F12 second address: 3E0F30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1363h 0x00000007 pushad 0x00000008 jo 00007F1F40FB1356h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E13DF second address: 3E1411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C37h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1F41150C33h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E1411 second address: 3E1415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BB3C1 second address: 398568 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1F41150C31h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F1F41150C28h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D251Bh], esi 0x0000002f call dword ptr [ebp+122D360Dh] 0x00000035 jno 00007F1F41150C3Dh 0x0000003b jbe 00007F1F41150C4Ch 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BB9E4 second address: 3BBA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1F40FB1356h 0x0000000a popad 0x0000000b pop edi 0x0000000c mov eax, dword ptr [eax] 0x0000000e push ecx 0x0000000f jbe 00007F1F40FB135Ch 0x00000015 jp 00007F1F40FB1356h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F1F40FB135Bh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBA13 second address: 3BBA17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBA17 second address: 3BBA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBB12 second address: 3BBB17 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBBEE second address: 3BBC1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1F40FB1367h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1F40FB135Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BBC1C second address: 3BBC22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC610 second address: 3BC615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC615 second address: 3BC669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jmp 00007F1F41150C38h 0x00000010 pop edi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a push ebx 0x0000001b jo 00007F1F41150C26h 0x00000021 pop ebx 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 jns 00007F1F41150C26h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC71A second address: 3BC77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push esi 0x00000007 jnl 00007F1F40FB1366h 0x0000000d pop esi 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F1F40FB1358h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 call 00007F1F40FB135Eh 0x0000002e mov dh, al 0x00000030 pop ecx 0x00000031 lea eax, dword ptr [ebp+1248B0B1h] 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a push edi 0x0000003b jp 00007F1F40FB1356h 0x00000041 pop edi 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC77C second address: 3BC7E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F1F41150C26h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f js 00007F1F41150C26h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push edx 0x0000001c pop edx 0x0000001d popad 0x0000001e popad 0x0000001f nop 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F1F41150C28h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a sbb ecx, 19880AE1h 0x00000040 lea eax, dword ptr [ebp+1248B06Dh] 0x00000046 sub dword ptr [ebp+122D1C58h], edi 0x0000004c add edi, 26B796A7h 0x00000052 nop 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F1F41150C2Dh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC7E2 second address: 3BC7FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB135Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F1F40FB135Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC7FF second address: 399092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007F1F41150C28h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000014h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 call 00007F1F41150C33h 0x00000025 push edi 0x00000026 mov edx, dword ptr [ebp+122D2573h] 0x0000002c pop ecx 0x0000002d pop edi 0x0000002e je 00007F1F41150C2Ah 0x00000034 mov cx, 0F0Eh 0x00000038 call dword ptr [ebp+122D3909h] 0x0000003e pushad 0x0000003f pushad 0x00000040 jmp 00007F1F41150C33h 0x00000045 push edx 0x00000046 pop edx 0x00000047 jmp 00007F1F41150C2Fh 0x0000004c popad 0x0000004d push eax 0x0000004e jc 00007F1F41150C26h 0x00000054 jmp 00007F1F41150C2Ch 0x00000059 pop eax 0x0000005a jmp 00007F1F41150C30h 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 pushad 0x00000064 popad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 399092 second address: 3990A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F1F40FB135Bh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3990A4 second address: 3990BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F41150C33h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36EBDD second address: 36EBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E4F84 second address: 3E4FA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C2Bh 0x00000007 pushad 0x00000008 jmp 00007F1F41150C2Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E4FA1 second address: 3E4FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1F40FB1356h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnp 00007F1F40FB1360h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F1F40FB1369h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E4FDF second address: 3E4FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5147 second address: 3E515E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1F40FB1360h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E52E8 second address: 3E5316 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1F41150C35h 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F1F41150C26h 0x00000010 jmp 00007F1F41150C2Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E5994 second address: 3E59B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F40FB135Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1F40FB135Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37A8D7 second address: 37A8DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EA3B7 second address: 3EA3CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1F40FB1361h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EA3CE second address: 3EA3D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EA3D5 second address: 3EA401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F1F40FB135Dh 0x00000011 jmp 00007F1F40FB135Ch 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EA401 second address: 3EA424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jmp 00007F1F41150C32h 0x0000000b jc 00007F1F41150C26h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EA54E second address: 3EA585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F40FB135Eh 0x00000009 jmp 00007F1F40FB1365h 0x0000000e popad 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F1F40FB135Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EA585 second address: 3EA589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EA82B second address: 3EA835 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1F40FB1356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EA0BF second address: 3EA0C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F152B second address: 3F1535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1F40FB1356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F1535 second address: 3F153B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F153B second address: 3F1547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007F1F40FB1356h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F03B5 second address: 3F03E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F1F41150C2Ah 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F1F41150C33h 0x00000016 jl 00007F1F41150C2Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F0ED7 second address: 3F0EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F0EE2 second address: 3F0EF2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F1F41150C2Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F0EF2 second address: 3F0F0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F1F40FB135Dh 0x0000000a jne 00007F1F40FB1356h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F124F second address: 3F1254 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F1254 second address: 3F1264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007F1F40FB135Eh 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F41D6 second address: 3F41DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F41DC second address: 3F41F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F40FB1369h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB67E second address: 3FB69A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F1F41150C2Ch 0x0000000c jnl 00007F1F41150C26h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F1F41150C26h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB69A second address: 3FB6AA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1F40FB1356h 0x00000008 jc 00007F1F40FB1356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB257 second address: 3FB25B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FB379 second address: 3FB3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push esi 0x00000008 jmp 00007F1F40FB1364h 0x0000000d jo 00007F1F40FB1356h 0x00000013 pop esi 0x00000014 jmp 00007F1F40FB1367h 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37735D second address: 377363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 377363 second address: 377367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FE146 second address: 3FE14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FE14A second address: 3FE168 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1F40FB135Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007F1F40FB1356h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FE168 second address: 3FE16C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FE324 second address: 3FE328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4032A6 second address: 4032E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C2Dh 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jg 00007F1F41150C32h 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007F1F41150C2Ah 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f jmp 00007F1F41150C33h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 403881 second address: 403895 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1F40FB135Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 403895 second address: 403899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4097FB second address: 4097FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4097FF second address: 409807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409807 second address: 409846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1362h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F1F40FB135Ah 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 jl 00007F1F40FB1366h 0x0000001a jnc 00007F1F40FB135Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 408188 second address: 408193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 408835 second address: 40886B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push edx 0x0000000a jns 00007F1F40FB1356h 0x00000010 pop edx 0x00000011 pop edx 0x00000012 ja 00007F1F40FB137Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F1F40FB1366h 0x0000001f jnc 00007F1F40FB1356h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC115 second address: 3BC1D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F1F41150C26h 0x00000009 jnc 00007F1F41150C26h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 je 00007F1F41150C2Eh 0x00000019 je 00007F1F41150C28h 0x0000001f pushad 0x00000020 popad 0x00000021 nop 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007F1F41150C28h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c mov dx, 8861h 0x00000040 mov dword ptr [ebp+122D1DCBh], esi 0x00000046 mov ebx, dword ptr [ebp+1248B0ACh] 0x0000004c mov dword ptr [ebp+122D3471h], edi 0x00000052 add eax, ebx 0x00000054 push 00000000h 0x00000056 push ebx 0x00000057 call 00007F1F41150C28h 0x0000005c pop ebx 0x0000005d mov dword ptr [esp+04h], ebx 0x00000061 add dword ptr [esp+04h], 00000015h 0x00000069 inc ebx 0x0000006a push ebx 0x0000006b ret 0x0000006c pop ebx 0x0000006d ret 0x0000006e xor edx, dword ptr [ebp+122D3630h] 0x00000074 nop 0x00000075 jnc 00007F1F41150C45h 0x0000007b push eax 0x0000007c pushad 0x0000007d jmp 00007F1F41150C36h 0x00000082 pushad 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC1D7 second address: 3BC221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1F40FB1356h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F1F40FB1358h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 add dword ptr [ebp+124525B4h], edi 0x0000002d jg 00007F1F40FB135Ch 0x00000033 push 00000004h 0x00000035 mov edi, dword ptr [ebp+122D2C75h] 0x0000003b nop 0x0000003c push edi 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC221 second address: 3BC227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CB37 second address: 40CB3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CCC6 second address: 40CCCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CCCC second address: 40CCD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CCD0 second address: 40CCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CCD6 second address: 40CCFA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1F40FB135Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1F40FB1364h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CCFA second address: 40CD13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C35h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CD13 second address: 40CD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CD22 second address: 40CD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnp 00007F1F41150C39h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CD40 second address: 40CD6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1361h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F1F40FB1368h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CEC8 second address: 40CEE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F1F41150C37h 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40CEE7 second address: 40CF25 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F1F40FB1361h 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b jmp 00007F1F40FB1366h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007F1F40FB1356h 0x0000001b je 00007F1F40FB1356h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40D31F second address: 40D338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40D338 second address: 40D368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F1F40FB1361h 0x0000000a jmp 00007F1F40FB1366h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40D368 second address: 40D36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40D36E second address: 40D37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F1F40FB135Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40D37F second address: 40D38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1F41150C2Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 416BCB second address: 416BE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB135Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F1F40FB1356h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 414B47 second address: 414B4D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 414B4D second address: 414B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F1F40FB1358h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 414B5E second address: 414B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 414B64 second address: 414B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F40FB135Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 415A68 second address: 415A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F1F41150C2Eh 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F1F41150C26h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 415A86 second address: 415A8C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 415A8C second address: 415A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 415A97 second address: 415A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 415A9C second address: 415AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 415D81 second address: 415DC0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1F40FB135Eh 0x00000008 jc 00007F1F40FB1356h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F1F40FB135Ch 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007F1F40FB135Ch 0x0000001f jmp 00007F1F40FB1363h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4181EA second address: 4181FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F1F41150C2Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4181FE second address: 418205 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36B5E3 second address: 36B5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41B502 second address: 41B508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41B508 second address: 41B518 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007F1F41150C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41B518 second address: 41B559 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1F40FB135Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c jmp 00007F1F40FB1366h 0x00000011 jmp 00007F1F40FB1361h 0x00000016 js 00007F1F40FB1356h 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41B559 second address: 41B55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41B6E8 second address: 41B70F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1365h 0x00000007 jns 00007F1F40FB1356h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F1F40FB1356h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41B994 second address: 41B9AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C35h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41BB49 second address: 41BB69 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F1F40FB1360h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41BB69 second address: 41BB6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41BB6E second address: 41BBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F40FB1369h 0x00000009 pop eax 0x0000000a push edx 0x0000000b jbe 00007F1F40FB1356h 0x00000011 jg 00007F1F40FB1356h 0x00000017 pop edx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41BBA1 second address: 41BBAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1F41150C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42BAAE second address: 42BAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42BAB5 second address: 42BAD1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1F41150C3Eh 0x00000008 jmp 00007F1F41150C32h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42BAD1 second address: 42BAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1F40FB1360h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F1F40FB1356h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42BAF2 second address: 42BAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42A1A7 second address: 42A1EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1368h 0x00000007 push edx 0x00000008 jmp 00007F1F40FB1365h 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push edx 0x00000012 jo 00007F1F40FB1356h 0x00000018 pop edx 0x00000019 jc 00007F1F40FB135Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42A8DD second address: 42A8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1F41150C26h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F1F41150C2Ah 0x00000014 pushad 0x00000015 popad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42AA68 second address: 42AA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F40FB135Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4297CC second address: 4297D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4297D4 second address: 4297DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4297DD second address: 4297E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4297E3 second address: 4297F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42FCB8 second address: 42FCBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42FCBE second address: 42FCF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1368h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F1F40FB1368h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42FCF7 second address: 42FD03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42FD03 second address: 42FD35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB135Eh 0x00000007 jmp 00007F1F40FB1360h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnc 00007F1F40FB135Ch 0x00000014 jc 00007F1F40FB1356h 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42FD35 second address: 42FD39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 432BB6 second address: 432BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1F40FB1356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 432D60 second address: 432D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C36h 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F1F41150C2Ch 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 432D89 second address: 432D97 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1F40FB1358h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 432D97 second address: 432DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C38h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 432F39 second address: 432F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 432F3F second address: 432F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1F41150C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44223E second address: 44224D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1F40FB1356h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44224D second address: 44228F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F1F41150C37h 0x0000000b jmp 00007F1F41150C37h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 popad 0x00000014 jo 00007F1F41150C4Ah 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 441D71 second address: 441DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1F40FB1356h 0x0000000a jmp 00007F1F40FB1365h 0x0000000f jmp 00007F1F40FB135Ah 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jo 00007F1F40FB1356h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4442B0 second address: 4442B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4442B4 second address: 4442BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4442BE second address: 4442C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4442C2 second address: 4442C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 444052 second address: 44405C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1F41150C2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 452351 second address: 452356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 452356 second address: 452360 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1F41150C2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 452360 second address: 452376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F1F40FB135Eh 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 452376 second address: 45237A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45237A second address: 4523AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jno 00007F1F40FB1356h 0x00000014 popad 0x00000015 jng 00007F1F40FB1358h 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F1F40FB135Fh 0x00000022 js 00007F1F40FB135Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 452223 second address: 452229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 452229 second address: 45223A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4539D7 second address: 4539DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45AB58 second address: 45AB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45AB5C second address: 45ABB3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1F41150C26h 0x00000008 jmp 00007F1F41150C38h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F1F41150C36h 0x00000015 jmp 00007F1F41150C33h 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jbe 00007F1F41150C26h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45AD0C second address: 45AD10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45AE6C second address: 45AEB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1F41150C2Fh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1F41150C2Fh 0x00000016 jmp 00007F1F41150C2Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45AEB7 second address: 45AEE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1362h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F1F40FB1362h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45B076 second address: 45B07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45B1D6 second address: 45B1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push edx 0x00000009 pushad 0x0000000a jl 00007F1F40FB1356h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BB373 second address: 3BB3C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, dword ptr [ebp+122D2DBDh] 0x0000000e lea eax, dword ptr [ebp+1248B06Dh] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F1F41150C28h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e je 00007F1F41150C2Ah 0x00000034 mov dx, 97F9h 0x00000038 sbb edi, 6902092Dh 0x0000003e push eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45EDEE second address: 45EE09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F40FB1361h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 45EE09 second address: 45EE0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 470602 second address: 47060D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1F40FB1356h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47060D second address: 470619 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1F41150C2Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 472F7F second address: 472F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F40FB1360h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46E3A6 second address: 46E3C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F1F41150C35h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46E3C1 second address: 46E403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jng 00007F1F40FB1356h 0x0000000d popad 0x0000000e jne 00007F1F40FB1364h 0x00000014 jmp 00007F1F40FB135Eh 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007F1F40FB1369h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46E403 second address: 46E420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C2Ah 0x00000009 jns 00007F1F41150C26h 0x0000000f popad 0x00000010 push edx 0x00000011 jbe 00007F1F41150C26h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46E420 second address: 46E460 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1F40FB136Dh 0x00000008 jmp 00007F1F40FB1367h 0x0000000d pushad 0x0000000e jmp 00007F1F40FB1361h 0x00000013 jmp 00007F1F40FB135Dh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 480EFA second address: 480EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 480EFE second address: 480F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1F40FB1356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 480F0E second address: 480F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C32h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A4D3 second address: 49A4F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F1F40FB1366h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A77A second address: 49A78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1F41150C2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A78A second address: 49A798 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1F40FB1356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A798 second address: 49A79C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49AE41 second address: 49AE61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 ja 00007F1F40FB1356h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop eax 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 jc 00007F1F40FB135Eh 0x0000001c push esi 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E1AF second address: 49E1C1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F1F41150C28h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49E1C1 second address: 49E1CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F1F40FB1356h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1324 second address: 4A1345 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1F41150C2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F1F41150C26h 0x00000011 jns 00007F1F41150C26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1345 second address: 4A1364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1F40FB1366h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A2F7B second address: 4A2F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 jnc 00007F1F41150C2Eh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230AFE second address: 5230B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230B04 second address: 5230B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230B08 second address: 5230B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230B0C second address: 5230B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e pushad 0x0000000f mov bx, A0B8h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F1F41150C37h 0x0000001b add cl, 0000007Eh 0x0000001e jmp 00007F1F41150C39h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230B56 second address: 5230B8F instructions: 0x00000000 rdtsc 0x00000002 mov bh, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test ecx, ecx 0x00000009 jmp 00007F1F40FB1363h 0x0000000e jns 00007F1F40FB13B8h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F1F40FB1365h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230B8F second address: 5230B97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230B97 second address: 5230C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add eax, ecx 0x00000009 pushad 0x0000000a jmp 00007F1F40FB1362h 0x0000000f call 00007F1F40FB1362h 0x00000014 call 00007F1F40FB1362h 0x00000019 pop ecx 0x0000001a pop edx 0x0000001b popad 0x0000001c mov eax, dword ptr [eax+00000860h] 0x00000022 jmp 00007F1F40FB135Eh 0x00000027 test eax, eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F1F40FB135Dh 0x00000032 sub cx, AA36h 0x00000037 jmp 00007F1F40FB1361h 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007F1F40FB1360h 0x00000043 sub ax, A958h 0x00000048 jmp 00007F1F40FB135Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230C3B second address: 5230C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1F41150C34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230C53 second address: 5230C79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F1FB17F745Ah 0x0000000e pushad 0x0000000f mov edi, 515541D0h 0x00000014 push eax 0x00000015 push edx 0x00000016 call 00007F1F40FB135Fh 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 203D21 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 203C38 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3CEB48 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 4348C8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6664 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6664 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2081549022.000000000038A000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2082248642.000000000133E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: file.exe, 00000000.00000002.2082369029.000000000139C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080904765.000000000139C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW<2
Source: file.exe, 00000000.00000002.2082441705.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080904765.00000000013C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2081549022.000000000038A000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001E5BB0 LdrInitializeThunk, 0_2_001E5BB0

HIPS / PFW / Operating System Protection Evasion

barindex
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: spirittunek.store
Source: file.exe String found in binary or memory: bathdoomgaz.store
Source: file.exe String found in binary or memory: studennotediw.store
Source: file.exe String found in binary or memory: dissapoiznw.store
Source: file.exe String found in binary or memory: eaglepawnoy.store
Source: file.exe String found in binary or memory: mobbipenju.store
Source: file.exe, file.exe, 00000000.00000002.2081667097.00000000003CE000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vProgram Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs