Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1541677
MD5: 8a8ac6e786885a36e9ad6f8143fbea3f
SHA1: 2682fca6d8bba7aba4505f8714a223a07c7bb5cd
SHA256: 49cbacde80b5c92732411b538fbaec79d88bda59faa3e20cbd7d67665d9020bf
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: file.exe.6544.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "spirittunek.store", "licendfilteo.site", "eaglepawnoy.store", "mobbipenju.store", "studennotediw.store", "bathdoomgaz.store", "dissapoiznw.store"], "Build id": "4SD0y4--legendaryy"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: licendfilteo.site
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: spirittunek.store
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: bathdoomgaz.store
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: studennotediw.store
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: dissapoiznw.store
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: eaglepawnoy.store
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: mobbipenju.store
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: clearancek.site
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1715380228.00000000008C1000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_009050FA
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_008CD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_008CD110
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_009063B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_009099D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_0090695B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_008CFCA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_008D0EEC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00906094
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [edx] 0_2_008C1000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_008D6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then dec ebx 0_2_008FF030
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00904040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_008ED1E1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_008D42FC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_008E2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_008E2260
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_008F23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_008F23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_008F23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_008F23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_008F23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 0_2_008F23E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_008CA300
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 0_2_009064B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_008EE40C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_008DB410
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_00901440
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_008DD457
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_008EC470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_008E9510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 0_2_00907520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_008D6536
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_008FB650
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_008EE66A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_008ED7AF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_009067EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 0_2_00907710
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00905700
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_008E28E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_008C49A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 0_2_00903920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_008DD961
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_008D1ACD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_008D1A3C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 0_2_00904A40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_008C5A50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_008F0B80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_008D1BEE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_008D3BE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 0_2_008DDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 0_2_008DDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 0_2_00909B60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_008EAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], ax 0_2_008EAC91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_008ECCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_008ECCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 0_2_008ECCD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00909CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 0_2_00909CE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_008E7C00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 0_2_008FFC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 0_2_008EEC48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00908D8A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 0_2_008EFD10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_008EDD29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 0_2_008D1E93
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_008C6EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_008D6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 0_2_008CBEB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, ecx 0_2_008D4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 0_2_008EAE57
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_008E7E60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_008E5E70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_008D6F91
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00905FD6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 0_2_00907FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00907FC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], 0000h 0_2_008DFFDF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_008C8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_008E9F62
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_008FFF70

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:56897 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:51224 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:55831 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:50769 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:55271 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:54746 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:50876 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:60823 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: dissapoiznw.store
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1698553601.0000000001513000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=346313cc8dbc10599301df23; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 23:25:59 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1698553601.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.000000000149F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.1698553601.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.000000000149F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.1698553601.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.000000000149F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apiapib
Source: file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716233441.0000000001495000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1698553601.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.000000000149F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1698553601.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.000000000149F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716233441.0000000001495000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1698553601.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.000000000149F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/G
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1698553601.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.00000000014BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1698553601.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.000000000149F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900z
Source: file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba2
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698495793.000000000152B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1698495793.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716465250.0000000001513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D0228 0_2_008D0228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0090A0D0 0_2_0090A0D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C1000 0_2_008C1000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D2030 0_2_008D2030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00904040 0_2_00904040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008CE1A0 0_2_008CE1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B071C8 0_2_00B071C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C71F0 0_2_008C71F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C5160 0_2_008C5160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008F82D0 0_2_008F82D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008F12D0 0_2_008F12D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009652EC 0_2_009652EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C12F7 0_2_008C12F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9A246 0_2_00A9A246
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008CB3A0 0_2_008CB3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C13A3 0_2_008C13A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008F23E0 0_2_008F23E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008CA300 0_2_008CA300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9633C 0_2_00A9633C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D4487 0_2_008D4487
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D049B 0_2_008D049B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008F64F0 0_2_008F64F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9141F 0_2_00A9141F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A8C45C 0_2_00A8C45C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008EC470 0_2_008EC470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C35B0 0_2_008C35B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008DC5F0 0_2_008DC5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009086F0 0_2_009086F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008FF620 0_2_008FF620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00908652 0_2_00908652
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C164F 0_2_008C164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008FE8A0 0_2_008FE8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008FB8C0 0_2_008FB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB2835 0_2_00AB2835
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008F1860 0_2_008F1860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008E098B 0_2_008E098B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009089A0 0_2_009089A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A8F9EA 0_2_00A8F9EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A949D1 0_2_00A949D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097394A 0_2_0097394A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00908A80 0_2_00908A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00907AB0 0_2_00907AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00904A40 0_2_00904A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009DEB94 0_2_009DEB94
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A8BB9F 0_2_00A8BB9F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C7BF0 0_2_008C7BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008DDB6F 0_2_008DDB6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00906CBF 0_2_00906CBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008ECCD0 0_2_008ECCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A6CC20 0_2_00A6CC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00908C02 0_2_00908C02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008EFD10 0_2_008EFD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008EDD29 0_2_008EDD29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008E8D62 0_2_008E8D62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D6EBF 0_2_008D6EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008CBEB0 0_2_008CBEB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A8DEC3 0_2_00A8DEC3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B07E3D 0_2_00B07E3D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A97E38 0_2_00A97E38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D4E2A 0_2_008D4E2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008EAE57 0_2_008EAE57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00908E70 0_2_00908E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00907FC0 0_2_00907FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C8FD0 0_2_008C8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008CAF10 0_2_008CAF10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A92F13 0_2_00A92F13
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A6DF43 0_2_00A6DF43
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 008DD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 008CCAA0 appears 48 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994972153465347
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@9/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008F8220 CoCreateInstance, 0_2_008F8220
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeQ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: file.exe Static file information: File size 2916864 > 1048576
Source: file.exe Static PE information: Raw size of mdtsvfye is bigger than: 0x100000 < 0x29ec00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.8c0000.0.unpack :EW;.rsrc :W;.idata :W;mdtsvfye:EW;bwtuuemd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;mdtsvfye:EW;bwtuuemd:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2ca44b should be: 0x2d0c74
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: mdtsvfye
Source: file.exe Static PE information: section name: bwtuuemd
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B010AD push ebx; mov dword ptr [esp], 4AAB3668h 0_2_00B010DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push edx; mov dword ptr [esp], ebx 0_2_00A03162
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push eax; mov dword ptr [esp], edx 0_2_00A0318A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push edi; mov dword ptr [esp], edx 0_2_00A031A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push 5355C787h; mov dword ptr [esp], edx 0_2_00A031B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push ebp; mov dword ptr [esp], esp 0_2_00A031BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push 5D78FAD2h; mov dword ptr [esp], esi 0_2_00A03221
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push esi; mov dword ptr [esp], ebx 0_2_00A03239
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push eax; mov dword ptr [esp], edx 0_2_00A0326E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push 62D30D7Eh; mov dword ptr [esp], edi 0_2_00A03278
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030F5 push ebp; mov dword ptr [esp], esi 0_2_00A032CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AE90D3 push 65F5412Ch; mov dword ptr [esp], ecx 0_2_00AE90F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AE90D3 push ebx; mov dword ptr [esp], 7AB7561Ch 0_2_00AE9108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBF03F push ecx; mov dword ptr [esp], esi 0_2_00BBF0C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBF03F push eax; mov dword ptr [esp], ebx 0_2_00BBF0D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBF03F push ebx; mov dword ptr [esp], 7EFE9F78h 0_2_00BBF0F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBF03F push 64574B37h; mov dword ptr [esp], ebp 0_2_00BBF14B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B49054 push eax; mov dword ptr [esp], ecx 0_2_00B4917E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBF19F push ebp; mov dword ptr [esp], eax 0_2_00BBF2EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D11C5 push esi; mov dword ptr [esp], 6FF91B84h 0_2_009D11FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D11C5 push edx; mov dword ptr [esp], edi 0_2_009D1264
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D11C5 push 107887F7h; mov dword ptr [esp], edx 0_2_009D12B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D11C5 push ecx; mov dword ptr [esp], 3DC7EE03h 0_2_009D12BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B071C8 push edi; mov dword ptr [esp], 7DF6CECDh 0_2_00B071F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B071C8 push 49F60D51h; mov dword ptr [esp], edi 0_2_00B07281
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B54144 push ecx; mov dword ptr [esp], esp 0_2_00B5418D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B012AC push 5B26B2FAh; mov dword ptr [esp], ebp 0_2_00B012F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAE291 push esi; mov dword ptr [esp], ebp 0_2_00AAE950
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009652EC push ecx; mov dword ptr [esp], ebx 0_2_00965309
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009652EC push 11071BF1h; mov dword ptr [esp], edx 0_2_0096540D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009652EC push ebx; mov dword ptr [esp], ecx 0_2_00965411
Source: file.exe Static PE information: section name: entropy: 7.9804405132247425

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9242A4 second address: 9242A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9F3D5 second address: A9F3F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007F6F0CD49E38h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 jmp 00007F6F0CD49E3Ah 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E35F second address: A9E373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F0CE923E0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E373 second address: A9E38B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F6F0CD49E3Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E38B second address: A9E391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E8DD second address: A9E8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E8E5 second address: A9E8EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E8EF second address: A9E8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9EA59 second address: A9EA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6F0CE923D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9EA63 second address: A9EA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E45h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F6F0CD49E36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9EA86 second address: A9EA8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9EA8A second address: A9EAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F6F0CD49E3Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0E4D second address: AA0E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0FA5 second address: AA0FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F6F0CD49E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0FAF second address: AA0FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A944B0 second address: A944C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F0CD49E42h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A944C6 second address: A944CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABEAD5 second address: ABEADD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABEADD second address: ABEAFF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6F0CE923ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABEAFF second address: ABEB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABED7A second address: ABEDA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F6F0CE923D6h 0x0000000b jmp 00007F6F0CE923E4h 0x00000010 ja 00007F6F0CE923D6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABEDA6 second address: ABEDCB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F6F0CD49E48h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABEDCB second address: ABEDE4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F0CE923DFh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABEDE4 second address: ABEDF4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F0CD49E36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABEDF4 second address: ABEDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6F0CE923D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF246 second address: ABF24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF24B second address: ABF256 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F6F0CE923D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF382 second address: ABF396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CD49E40h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF396 second address: ABF3CF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F0CE923D6h 0x00000008 jp 00007F6F0CE923D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F6F0CE923E8h 0x00000015 pop edx 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6F0CE923DBh 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF706 second address: ABF70A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF85B second address: ABF85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF9DE second address: ABF9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF9E3 second address: ABFA09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F6F0CE923D6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABFCDF second address: ABFCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABFCEE second address: ABFD1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F6F0CE923D6h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F6F0CE923E4h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABFD1C second address: ABFD22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB824D second address: AB8252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABFEAD second address: ABFEB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABFEB1 second address: ABFEB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC0500 second address: AC0524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007F6F0CD49E36h 0x0000000c jns 00007F6F0CD49E36h 0x00000012 popad 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jbe 00007F6F0CD49E36h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC0524 second address: AC053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923E5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC053F second address: AC0543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC07E0 second address: AC07E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC07E5 second address: AC0818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F0CD49E44h 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F6F0CD49E51h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6F0CD49E3Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC0818 second address: AC081C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC0C2C second address: AC0C3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E3Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC0C3B second address: AC0C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A90FAC second address: A90FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC82DD second address: AC82E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC82E1 second address: AC82E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC82E7 second address: AC82FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jbe 00007F6F0CE923D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC82FC second address: AC8301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC6FD0 second address: AC6FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC6FD6 second address: AC6FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F4FE second address: A8F502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F502 second address: A8F512 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F6F0CD49E36h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F512 second address: A8F516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCA23 second address: ACCA2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCA2E second address: ACCA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jng 00007F6F0CE923D8h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F6F0CE923DEh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCA52 second address: ACCA69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E3Dh 0x00000007 jp 00007F6F0CD49E36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCF0B second address: ACCF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F0CE923E2h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCF2A second address: ACCF2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCF2E second address: ACCF44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F6F0CE923DBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACD096 second address: ACD0C0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F0CD49E36h 0x00000008 jc 00007F6F0CD49E36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6F0CD49E48h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF1EE second address: ACF20C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F6F0CE923DCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF20C second address: ACF211 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF296 second address: ACF2DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 25EE79E4h 0x0000000e call 00007F6F0CE923D9h 0x00000013 jmp 00007F6F0CE923E1h 0x00000018 push eax 0x00000019 jmp 00007F6F0CE923E3h 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF2DB second address: ACF2F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF47F second address: ACF491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F0CE923DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFE64 second address: ACFE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFE6D second address: ACFE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFF39 second address: ACFF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFF3E second address: ACFF94 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007F6F0CE923D6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d jmp 00007F6F0CE923E9h 0x00000012 nop 0x00000013 jmp 00007F6F0CE923E8h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c jmp 00007F6F0CE923E2h 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD09DB second address: AD0A70 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F0CD49E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jo 00007F6F0CD49E44h 0x00000012 push edi 0x00000013 jmp 00007F6F0CD49E3Ch 0x00000018 pop edi 0x00000019 nop 0x0000001a xor edi, 5D96287Dh 0x00000020 push 00000000h 0x00000022 jmp 00007F6F0CD49E3Eh 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F6F0CD49E38h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 xchg eax, ebx 0x00000044 jne 00007F6F0CD49E54h 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F6F0CD49E3Fh 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD24EB second address: AD255A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F6F0CE923E7h 0x0000000c nop 0x0000000d push ecx 0x0000000e and esi, dword ptr [ebp+122D1F80h] 0x00000014 pop esi 0x00000015 push 00000000h 0x00000017 mov esi, dword ptr [ebp+122D3399h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 call 00007F6F0CE923D8h 0x00000027 pop ebx 0x00000028 mov dword ptr [esp+04h], ebx 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc ebx 0x00000035 push ebx 0x00000036 ret 0x00000037 pop ebx 0x00000038 ret 0x00000039 xchg eax, ebx 0x0000003a push ebx 0x0000003b pushad 0x0000003c jmp 00007F6F0CE923DFh 0x00000041 jng 00007F6F0CE923D6h 0x00000047 popad 0x00000048 pop ebx 0x00000049 push eax 0x0000004a push ebx 0x0000004b push esi 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD2FF5 second address: AD2FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD2D58 second address: AD2D68 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6F0CE923D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD2FF9 second address: AD3002 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD2D68 second address: AD2D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6F0CE923D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD3A06 second address: AD3A10 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F0CD49E3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD3A10 second address: AD3A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+122D36E1h], ecx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F6F0CE923D8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b jns 00007F6F0CE923DCh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F6F0CE923D8h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 0000001Bh 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d call 00007F6F0CE923E0h 0x00000052 mov esi, ebx 0x00000054 pop esi 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F6F0CE923E5h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD3A9F second address: AD3AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F6F0CD49E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD50A2 second address: AD50A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5AFD second address: AD5B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD74D3 second address: AD7557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F6F0CE923E1h 0x00000011 jmp 00007F6F0CE923DBh 0x00000016 nop 0x00000017 call 00007F6F0CE923E7h 0x0000001c jmp 00007F6F0CE923DCh 0x00000021 pop ebx 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F6F0CE923D8h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e push 00000000h 0x00000040 mov ebx, 6F5E9996h 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F6F0CE923E3h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD7557 second address: AD756C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jg 00007F6F0CD49E36h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADA5F8 second address: ADA667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jnc 00007F6F0CE923D6h 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+122D36E1h], ecx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F6F0CE923D8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov dword ptr [ebp+122DBBD2h], ecx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F6F0CE923D8h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 movzx edi, di 0x0000005a xchg eax, esi 0x0000005b jc 00007F6F0CE923E8h 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADA667 second address: ADA66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5909 second address: AD5938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CE923E3h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jmp 00007F6F0CE923DEh 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADA66B second address: ADA680 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F0CD49E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007F6F0CD49E44h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5938 second address: AD593C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADB5B0 second address: ADB5C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADB5C6 second address: ADB5D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F6F0CE923D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADB5D0 second address: ADB5D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD876E second address: AD8774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD7714 second address: AD77A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D3399h], esi 0x00000013 or bl, FFFFFFECh 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push edi 0x0000001e jmp 00007F6F0CD49E44h 0x00000023 pop ebx 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F6F0CD49E38h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D2EDCh], edx 0x0000004b jno 00007F6F0CD49E37h 0x00000051 mov eax, dword ptr [ebp+122D0B29h] 0x00000057 or dword ptr [ebp+122D2EDCh], edx 0x0000005d push FFFFFFFFh 0x0000005f mov ebx, 011D7B3Ch 0x00000064 mov dword ptr [ebp+122D20B8h], ecx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d push edi 0x0000006e pushad 0x0000006f popad 0x00000070 pop edi 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADA89D second address: ADA8B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jc 00007F6F0CE923D6h 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADB5D4 second address: ADB5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F0CD49E3Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD8774 second address: AD8814 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push edi 0x0000000f mov bx, D7DEh 0x00000013 pop edi 0x00000014 push dword ptr fs:[00000000h] 0x0000001b jmp 00007F6F0CE923E4h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 clc 0x00000028 mov eax, dword ptr [ebp+122D02B9h] 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F6F0CE923D8h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 mov ebx, dword ptr [ebp+122D2E07h] 0x0000004e and ebx, dword ptr [ebp+122D2AA5h] 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push ebp 0x00000059 call 00007F6F0CE923D8h 0x0000005e pop ebp 0x0000005f mov dword ptr [esp+04h], ebp 0x00000063 add dword ptr [esp+04h], 00000015h 0x0000006b inc ebp 0x0000006c push ebp 0x0000006d ret 0x0000006e pop ebp 0x0000006f ret 0x00000070 movsx ebx, ax 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 jng 00007F6F0CE923D6h 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADA8B2 second address: ADA8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CD49E48h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD8814 second address: AD881A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADB798 second address: ADB79C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADE4C2 second address: ADE4C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADE4C6 second address: ADE4CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADF4D3 second address: ADF509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F6F0CE923EFh 0x00000013 jmp 00007F6F0CE923E9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADF509 second address: ADF58F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F0CD49E38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F6F0CD49E38h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D27F8h], edx 0x0000002b push 00000000h 0x0000002d sub edi, dword ptr [ebp+122D1C37h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007F6F0CD49E38h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f mov bx, 73C1h 0x00000053 xchg eax, esi 0x00000054 push ebx 0x00000055 pushad 0x00000056 jmp 00007F6F0CD49E3Eh 0x0000005b jmp 00007F6F0CD49E3Ah 0x00000060 popad 0x00000061 pop ebx 0x00000062 push eax 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE059B second address: AE0631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F6F0CE923E6h 0x00000012 mov edi, esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F6F0CE923D8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 push esi 0x00000031 mov ebx, dword ptr [ebp+122D27EDh] 0x00000037 pop ebx 0x00000038 sub dword ptr [ebp+122D3A2Bh], edi 0x0000003e push 00000000h 0x00000040 jmp 00007F6F0CE923E8h 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 push eax 0x00000048 jl 00007F6F0CE923D6h 0x0000004e pop eax 0x0000004f jmp 00007F6F0CE923E9h 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE174D second address: AE1752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE27BF second address: AE27C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE37A0 second address: AE37A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE37A6 second address: AE37AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE37AE second address: AE37B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE57FA second address: AE5865 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F0CE923D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F6F0CE923D8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov edi, 0F045B15h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F6F0CE923D8h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov ebx, dword ptr [ebp+122D315Dh] 0x0000004d or dword ptr [ebp+122D21A3h], edi 0x00000053 push 00000000h 0x00000055 mov edi, ebx 0x00000057 movsx edi, cx 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE5865 second address: AE5869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE5869 second address: AE5873 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F0CE923D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE5873 second address: AE5879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE5879 second address: AE588E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e js 00007F6F0CE923D6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE588E second address: AE5899 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F6F0CD49E36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE687F second address: AE689F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F0CE923DEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE689F second address: AE68A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEC244 second address: AEC248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF0EBB second address: AF0ECC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 je 00007F6F0CD49E36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF0678 second address: AF0694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F6F0CE923E4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF0694 second address: AF0699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF0699 second address: AF06A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE494E second address: AE4953 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE4A3B second address: AE4A56 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F0CE923D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F6F0CE923DCh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE4A56 second address: AE4A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE4A5C second address: AE4A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE4A60 second address: AE4A64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF0911 second address: AF0929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF0929 second address: AF092F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF092F second address: AF0935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF0A77 second address: AF0A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6F0CD49E36h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6332 second address: AF633F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F0CE923D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF63BC second address: AF63C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6546 second address: AF6550 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F0CE923DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6550 second address: AF65A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F6F0CD49E3Eh 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 jmp 00007F6F0CD49E49h 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007F6F0CD49E3Dh 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF65A0 second address: AF65A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA38D second address: AFA391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA391 second address: AFA395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA395 second address: AFA39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA50F second address: AFA513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA513 second address: AFA517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA517 second address: AFA523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA523 second address: AFA529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA678 second address: AFA67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA7F1 second address: AFA7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFAC43 second address: AFAC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CE923E8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B076D3 second address: B076DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B06177 second address: B0617B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B06737 second address: B0673B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0673B second address: B06760 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6F0CE923E6h 0x0000000c jo 00007F6F0CE923D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B07132 second address: B07137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B07137 second address: B07156 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F0CE923F1h 0x00000008 jmp 00007F6F0CE923E5h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0755E second address: B07564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B05E89 second address: B05E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0BA64 second address: B0BA6A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0BBF9 second address: B0BBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0C48C second address: B0C493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0C493 second address: B0C4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F0CE923E5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0C4B5 second address: B0C4BF instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F0CD49E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0C5E6 second address: B0C607 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F6F0CE923E4h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0CA28 second address: B0CA35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0CA35 second address: B0CA59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6F0CE923D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F6F0CE923E7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0FDFF second address: B0FE1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6F0CD49E3Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F6F0CD49E38h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACDAA1 second address: AB824D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F0CE923D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F6F0CE923D8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 lea eax, dword ptr [ebp+1247D813h] 0x0000002b add dword ptr [ebp+122D3708h], eax 0x00000031 push eax 0x00000032 jmp 00007F6F0CE923DBh 0x00000037 mov dword ptr [esp], eax 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007F6F0CE923D8h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000015h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 jmp 00007F6F0CE923DDh 0x00000059 sub dword ptr [ebp+122D21A3h], eax 0x0000005f call dword ptr [ebp+122D2DD4h] 0x00000065 push eax 0x00000066 push edx 0x00000067 push ecx 0x00000068 pushad 0x00000069 popad 0x0000006a pushad 0x0000006b popad 0x0000006c pop ecx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACDC9B second address: ACDC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACDC9F second address: ACDCB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE083 second address: ACE087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE087 second address: ACE096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE17B second address: ACE195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CD49E45h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE3A0 second address: ACE3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE467 second address: ACE476 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACEAAF second address: ACEAB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACEAB3 second address: ACEABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACEED1 second address: ACEF1C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F0CE923D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F6F0CE923D8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 xor edi, 02919BD9h 0x0000002c lea eax, dword ptr [ebp+1247D813h] 0x00000032 mov edi, 38EE247Fh 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jne 00007F6F0CE923DCh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1010A second address: B1011B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B10288 second address: B102B7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F0CE923D6h 0x00000008 ja 00007F6F0CE923D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007F6F0CE923E9h 0x00000016 jmp 00007F6F0CE923E1h 0x0000001b push edi 0x0000001c pop edi 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B102B7 second address: B102BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A61D second address: A8A623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A623 second address: A8A629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A629 second address: A8A634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6F0CE923D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A634 second address: A8A64B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F0CD49E42h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B15808 second address: B1580C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1580C second address: B1582F instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F0CD49E36h 0x00000008 jmp 00007F6F0CD49E45h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B15977 second address: B15991 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F0CE923E2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B15991 second address: B15995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B15995 second address: B1599B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1599B second address: B159A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1762F second address: B17634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B17634 second address: B17657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6F0CD49E47h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B17657 second address: B1765B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1765B second address: B17664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1A866 second address: B1A8A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923E2h 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F6F0CE923DDh 0x00000013 push eax 0x00000014 jl 00007F6F0CE923D6h 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6F0CE923DCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1A8A6 second address: B1A8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1A8AA second address: B1A8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1AA18 second address: B1AA21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1AA21 second address: B1AA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1C5F4 second address: B1C5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1C5FA second address: B1C61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CE923E9h 0x00000009 jnp 00007F6F0CE923D6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1C61E second address: B1C625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1C625 second address: B1C645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F0CE923DBh 0x0000000c jmp 00007F6F0CE923DEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1C645 second address: B1C65D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F0CD49E36h 0x00000008 jnp 00007F6F0CD49E36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B21BC3 second address: B21BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A95F2C second address: A95F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B20524 second address: B2055C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CE923E6h 0x00000009 jo 00007F6F0CE923D6h 0x0000000f jmp 00007F6F0CE923DDh 0x00000014 popad 0x00000015 jng 00007F6F0CE923DAh 0x0000001b push eax 0x0000001c pop eax 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2055C second address: B20561 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2068F second address: B20699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B20943 second address: B20949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B20949 second address: B20982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F6F0CE923E7h 0x0000000c jmp 00007F6F0CE923DBh 0x00000011 je 00007F6F0CE923D6h 0x00000017 pushad 0x00000018 js 00007F6F0CE923D6h 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F6F0CE923DCh 0x00000025 push eax 0x00000026 pop eax 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B20982 second address: B20986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B20C15 second address: B20C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6F0CE923E3h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B20C2D second address: B20C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E46h 0x00000007 pushad 0x00000008 jmp 00007F6F0CD49E49h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACDA95 second address: ACDAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE8AC second address: ACE911 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, 3C0A1C86h 0x00000012 mov ebx, dword ptr [ebp+1247D852h] 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F6F0CD49E38h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D33B4h], edi 0x00000038 sub dword ptr [ebp+122D386Fh], ecx 0x0000003e add eax, ebx 0x00000040 sbb cx, 3720h 0x00000045 push eax 0x00000046 pushad 0x00000047 push edi 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE911 second address: ACE93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F6F0CE923E1h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e add cx, 5178h 0x00000013 push 00000004h 0x00000015 mov dword ptr [ebp+1245178Fh], esi 0x0000001b nop 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE93E second address: ACE952 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F0CD49E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE952 second address: ACE958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B258CE second address: B258E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F6F0CD49E41h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B25B27 second address: B25B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jns 00007F6F0CE923D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B25B36 second address: B25B3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B25B3C second address: B25B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B25CB4 second address: B25CE4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F0CD49E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6F0CD49E49h 0x0000000f jmp 00007F6F0CD49E3Ah 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B25E24 second address: B25E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B25E28 second address: B25E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jg 00007F6F0CD49E36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B25E34 second address: B25E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2610F second address: B26140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F6F0CD49E4Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F6F0CD49E36h 0x00000013 jp 00007F6F0CD49E36h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B26140 second address: B26144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B26144 second address: B2614D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2614D second address: B26185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CE923E4h 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F6F0CE923E9h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B26185 second address: B26192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2CA7A second address: B2CA98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923E0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F6F0CE923D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2CA98 second address: B2CAAE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F0CD49E36h 0x00000008 jp 00007F6F0CD49E36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2CAAE second address: B2CAD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F6F0CE923F3h 0x0000000c jmp 00007F6F0CE923E7h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2D7FD second address: B2D801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2D801 second address: B2D810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2DDCA second address: B2DDCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2DDCE second address: B2DDD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2E0B5 second address: B2E0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2E6A8 second address: B2E6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CE923DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2E6B8 second address: B2E6D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F0CD49E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3762B second address: B3762F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3762F second address: B37633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37633 second address: B3763F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3763F second address: B37643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37643 second address: B37647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B36DE2 second address: B36DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6F0CD49E36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B371D6 second address: B371DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3EBEA second address: B3EC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 ja 00007F6F0CD49E36h 0x0000000f pushad 0x00000010 popad 0x00000011 jnp 00007F6F0CD49E36h 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pop edx 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 jmp 00007F6F0CD49E49h 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3EC29 second address: B3EC2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3EC2D second address: B3EC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CD49E43h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F6F0CD49E3Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3D190 second address: B3D1C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F0CE923E0h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F6F0CE923D6h 0x00000016 jmp 00007F6F0CE923E7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3D1C8 second address: B3D1CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3D1CE second address: B3D1E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F0CE923DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3D36B second address: B3D376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3D376 second address: B3D3A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ecx 0x00000008 jnc 00007F6F0CE923E9h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jng 00007F6F0CE9240Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3D3A3 second address: B3D3CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E41h 0x00000007 jmp 00007F6F0CD49E40h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3D3CE second address: B3D3D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3DAD3 second address: B3DADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B41168 second address: B4117D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 jnc 00007F6F0CE923DAh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4117D second address: B41181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45C52 second address: B45C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F6F0CE923E8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45C74 second address: B45C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CD49E42h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45C8F second address: B45C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4877F second address: B4879C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6F0CD49E47h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4879C second address: B487A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B48923 second address: B48929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B48A87 second address: B48A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B48A8B second address: B48A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F6F0CD49E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56260 second address: B56264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55F54 second address: B55F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55F5A second address: B55F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B607CA second address: B607D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F6F0CD49E36h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B607D9 second address: B607ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68BA9 second address: B68BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CD49E41h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68BC2 second address: B68BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70B17 second address: B70B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70B1F second address: B70B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6F0CE923E0h 0x0000000a je 00007F6F0CE923DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6F9CA second address: B6F9D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B707A9 second address: B707AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B707AF second address: B707BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6F0CD49E36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B707BB second address: B707CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F6F0CE923DEh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B707CD second address: B707EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007F6F0CD49E45h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B707EA second address: B707F7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F0CE923D8h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B75108 second address: B7510D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7510D second address: B7512C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F6F0CE923D6h 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F6F0CE923DEh 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8EE14 second address: B8EE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F0CD49E48h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94406 second address: B94413 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F0CE923D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAE4B7 second address: BAE511 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F0CD49E43h 0x00000008 jmp 00007F6F0CD49E47h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 js 00007F6F0CD49E36h 0x00000018 jo 00007F6F0CD49E36h 0x0000001e pop ecx 0x0000001f pushad 0x00000020 push edi 0x00000021 pop edi 0x00000022 jmp 00007F6F0CD49E45h 0x00000027 push edx 0x00000028 pop edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAE511 second address: BAE516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD3AC second address: BAD3C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E43h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD7F2 second address: BAD7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD7F8 second address: BAD817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F6F0CD49E42h 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD817 second address: BAD832 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923E1h 0x00000007 js 00007F6F0CE923DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BADF25 second address: BADF61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6F0CD49E46h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d jmp 00007F6F0CD49E3Bh 0x00000012 pop edx 0x00000013 js 00007F6F0CD49E38h 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f pop eax 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BADF61 second address: BADF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAE1F6 second address: BAE1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAE1FB second address: BAE206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F6F0CE923D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAE206 second address: BAE219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6F0CD49E36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F6F0CD49E36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB26EB second address: BB26F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5B46 second address: BB5B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5B4C second address: BB5B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5B50 second address: BB5B6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F0CD49E43h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5B6F second address: BB5B79 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F0CE923D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5B79 second address: BB5B86 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F0CD49E38h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0AC5 second address: 52B0AD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0AD4 second address: 52B0B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx edi, cx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0B00 second address: 52B0B51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CE923DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b pushad 0x0000000c mov bx, cx 0x0000000f jmp 00007F6F0CE923E0h 0x00000014 popad 0x00000015 jns 00007F6F0CE92432h 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F6F0CE923DEh 0x00000022 and si, 69B8h 0x00000027 jmp 00007F6F0CE923DBh 0x0000002c popfd 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0B51 second address: 52B0B71 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 6A0Bh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 add eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop esi 0x00000010 jmp 00007F6F0CD49E3Fh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0B71 second address: 52B0B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0B77 second address: 52B0BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F0CD49E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax+00000860h] 0x00000011 jmp 00007F6F0CD49E46h 0x00000016 test eax, eax 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F6F0CD49E3Eh 0x0000001f sbb esi, 4548A8D8h 0x00000025 jmp 00007F6F0CD49E3Bh 0x0000002a popfd 0x0000002b mov ah, 93h 0x0000002d popad 0x0000002e je 00007F6F7D68FFCAh 0x00000034 jmp 00007F6F0CD49E3Bh 0x00000039 test byte ptr [eax+04h], 00000005h 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F6F0CD49E45h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0BF7 second address: 52B0BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0BFD second address: 52B0C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD22FF second address: AD2304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 923A88 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 3020 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1715580480.0000000000AA8000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1716233441.000000000145E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0}L
Source: file.exe, 00000000.00000003.1698553601.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716328542.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716405897.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698553601.00000000014BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1715580480.0000000000AA8000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00905BB0 LdrInitializeThunk, 0_2_00905BB0

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: licendfilteo.site
Source: file.exe String found in binary or memory: clearancek.site
Source: file.exe String found in binary or memory: bathdoomgaz.store
Source: file.exe String found in binary or memory: spirittunek.store
Source: file.exe String found in binary or memory: dissapoiznw.store
Source: file.exe String found in binary or memory: studennotediw.store
Source: file.exe String found in binary or memory: mobbipenju.store
Source: file.exe String found in binary or memory: eaglepawnoy.store
Source: file.exe, file.exe, 00000000.00000002.1715682751.0000000000AE8000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: sCProgram Manager
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541677 Sample: file.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 10 studennotediw.store 2->10 12 steamcommunity.com 2->12 14 7 other IPs or domains 2->14 18 Suricata IDS alerts for network traffic 2->18 20 Found malware configuration 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 7 other signatures 2->24 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 steamcommunity.com 104.102.49.254, 443, 49730 AKAMAI-ASUS United States 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->28 30 Tries to evade debugger and weak emulator (self modifying code) 6->30 32 4 other signatures 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
bathdoomgaz.store true
    		unknown
    studennotediw.store true
      		unknown
      clearancek.site true
        		unknown
        dissapoiznw.store true
          		unknown
          https://steamcommunity.com/profiles/76561199724331900 true
            		unknown
            spirittunek.store true
              		unknown
              licendfilteo.site true
                		unknown
                eaglepawnoy.store true
                  		unknown
                  mobbipenju.store true
                    		unknown