Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528226
MD5:	6143162264c50290f1925ce5713b921a
SHA1:	949da180ccf993c11c9e104f38402d891526d9ae
SHA256:	d6d5c6f5f79e371a818ecb16931b1f73461c4585479d794c7c4146d7a55dc069
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.4892.1.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["studennotediw.stor", "bathdoomgaz.stor", "dissapoiznw.stor", "spirittunek.stor", "eaglepawnoy.stor", "clearancek.site", "mobbipenju.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49733 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D650FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D2D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D2D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_00D663B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_00D699D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	1_2_00D6695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_00D2FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_00D30EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D66094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_00D64040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	1_2_00D21000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	1_2_00D5F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_00D36F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00D4D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D342FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00D42260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	1_2_00D42260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	1_2_00D2A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_00D664B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D3D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	1_2_00D61440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00D4C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	1_2_00D3B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	1_2_00D28590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D49510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D36536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	1_2_00D67520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00D5B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_00D667EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	1_2_00D67710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D65700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00D428E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	1_2_00D249A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	1_2_00D3D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	1_2_00D63920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D31ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	1_2_00D25A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_00D64A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D31A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D33BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_00D31BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00D50B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_00D69B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D69CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	1_2_00D69CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D4AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	1_2_00D4AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	1_2_00D4EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	1_2_00D47C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	1_2_00D5FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D68D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	1_2_00D4FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_00D31E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	1_2_00D2BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	1_2_00D36EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00D26EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	1_2_00D4AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D45E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D47E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	1_2_00D34E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D65FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D28FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	1_2_00D3FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_00D36F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D5FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D49F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:50427 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:55376 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:59002 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:63231 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:64231 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:62421 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:58058 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:63272 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: licendfilteo.site

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000001.00000003.2301846274.0000000001461000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303959573.0000000001462000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301661776.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ htt equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=7cdaee4fd9ae6b2071faa6aa; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 15:08:23 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlG equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ps://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/I
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000001.00000003.2300513851.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49733 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D30228	1_2_00D30228
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D6A0D0	1_2_00D6A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D64040	1_2_00D64040
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D21000	1_2_00D21000
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D32030	1_2_00D32030
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D271F0	1_2_00D271F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D	1_2_00E1B18D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2E1A0	1_2_00D2E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B	1_2_00EF714B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D25160	1_2_00D25160
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DDA10B	1_2_00DDA10B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D582D0	1_2_00D582D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D512D0	1_2_00D512D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D212F7	1_2_00D212F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EEE2A2	1_2_00EEE2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFD22F	1_2_00EFD22F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D523E0	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D213A3	1_2_00D213A3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2B3A0	1_2_00D2B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF3391	1_2_00EF3391
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00ED0326	1_2_00ED0326
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2A300	1_2_00D2A300
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF833B	1_2_00EF833B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D564F0	1_2_00D564F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3049B	1_2_00D3049B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D34487	1_2_00D34487
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4C470	1_2_00D4C470
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3C5F0	1_2_00D3C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D28590	1_2_00D28590
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D235B0	1_2_00D235B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E27531	1_2_00E27531
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D686F0	1_2_00D686F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68652	1_2_00D68652
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2164F	1_2_00D2164F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5F620	1_2_00D5F620
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F007DA	1_2_00F007DA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5B8C0	1_2_00D5B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5E8A0	1_2_00D5E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2A850	1_2_00D2A850
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFB865	1_2_00EFB865
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D51860	1_2_00D51860
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4098B	1_2_00D4098B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D689A0	1_2_00D689A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F6B91D	1_2_00F6B91D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68A80	1_2_00D68A80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D67AB0	1_2_00D67AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D64A40	1_2_00D64A40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE9A49	1_2_00EE9A49
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D27BF0	1_2_00D27BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3DB6F	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4CCD0	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F8BCAC	1_2_00F8BCAC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D66CBF	1_2_00D66CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFEC65	1_2_00EFEC65
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68C02	1_2_00D68C02
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E98C03	1_2_00E98C03
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EEFD72	1_2_00EEFD72
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D48D62	1_2_00D48D62
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4FD10	1_2_00D4FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4DD29	1_2_00D4DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2BEB0	1_2_00D2BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D36EBF	1_2_00D36EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4AE57	1_2_00D4AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68E70	1_2_00D68E70
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D34E2A	1_2_00D34E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D28FD0	1_2_00D28FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D67FC0	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2AF10	1_2_00D2AF10

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D3D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D2CAA0 appears 48 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994649855610561
Source: file.exe	Static PE information: Section: cbcphhfl ZLIB complexity 0.9938742351062192

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00D58220 CoCreateInstance,

1_2_00D58220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1832960 > 1048576

Source: file.exe

Static PE information: Raw size of cbcphhfl is bigger than: 0x100000 < 0x196000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.d20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;cbcphhfl:EW;zbkgdmce:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;cbcphhfl:EW;zbkgdmce:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c2002 should be: 0x1ceee6

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: cbcphhfl
Source: file.exe	Static PE information: section name: zbkgdmce
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FC70F9 push edx; mov dword ptr [esp], ebx	1_2_00FC711C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F650E6 push 1E6F9DA3h; mov dword ptr [esp], eax	1_2_00F65007
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FBF0BC push eax; mov dword ptr [esp], esi	1_2_00FBF20D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FBF0BC push ebx; mov dword ptr [esp], ecx	1_2_00FBF211
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1C080 push eax; mov dword ptr [esp], ecx	1_2_00F1C0BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1C080 push 17518A61h; mov dword ptr [esp], edx	1_2_00F1C0DE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1B08C push ebp; mov dword ptr [esp], edx	1_2_00F1B01A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1B08C push 7F3A5093h; mov dword ptr [esp], eax	1_2_00F1B0BC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push 34C7DC77h; mov dword ptr [esp], edi	1_2_00F2805A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push ebp; mov dword ptr [esp], esi	1_2_00F2809E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push edx; mov dword ptr [esp], edi	1_2_00F280BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push edx; mov dword ptr [esp], esi	1_2_00F280E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push 6591B56Dh; mov dword ptr [esp], edx	1_2_00F28100
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push ebp; mov dword ptr [esp], 59FF29AAh	1_2_011BA1B7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push eax; mov dword ptr [esp], 2F37F803h	1_2_011BA1C9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push 19A94B32h; mov dword ptr [esp], ecx	1_2_011BA273
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push edx; mov dword ptr [esp], ecx	1_2_011BA2D4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F8F01D push edi; mov dword ptr [esp], eax	1_2_00F8F1E3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FC000E push eax; mov dword ptr [esp], ebx	1_2_00FC0032
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push 53951845h; mov dword ptr [esp], ebp	1_2_00FAB234
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push ebx; mov dword ptr [esp], 4E54FDE6h	1_2_00FAB2AA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push 113215CEh; mov dword ptr [esp], esp	1_2_00FAB2CA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push eax; mov dword ptr [esp], ebp	1_2_00E1B1A4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 1B5EAE3Fh; mov dword ptr [esp], esp	1_2_00E1B1AC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 6432BD90h; mov dword ptr [esp], esi	1_2_00E1B212
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 6A0B9914h; mov dword ptr [esp], edi	1_2_00E1B22D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 09F99E72h; mov dword ptr [esp], ebx	1_2_00E1B2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push eax; mov dword ptr [esp], esi	1_2_00E1B302
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push ebp; mov dword ptr [esp], ecx	1_2_00E1B366
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B push 259C4982h; mov dword ptr [esp], eax	1_2_00EF7165
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B push ebp; mov dword ptr [esp], edx	1_2_00EF716F

Source: file.exe	Static PE information: section name: entropy: 7.982307743980005
Source: file.exe	Static PE information: section name: cbcphhfl entropy: 7.954080802016992

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8426B second address: D83A9D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F310118DD76h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F310118DD85h 0x00000012 nop 0x00000013 cld 0x00000014 push dword ptr [ebp+122D0AD5h] 0x0000001a mov dword ptr [ebp+122D1B63h], eax 0x00000020 call dword ptr [ebp+122D1E03h] 0x00000026 pushad 0x00000027 stc 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D2A26h], eax 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 mov dword ptr [ebp+122D2D9Dh], esi 0x0000003a mov dword ptr [ebp+122D3928h], eax 0x00000040 or dword ptr [ebp+122D2D9Dh], edx 0x00000046 mov esi, 0000003Ch 0x0000004b clc 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 pushad 0x00000051 or dword ptr [ebp+122D2B97h], edi 0x00000057 pushad 0x00000058 mov eax, dword ptr [ebp+122D38ACh] 0x0000005e push ebx 0x0000005f pop esi 0x00000060 popad 0x00000061 popad 0x00000062 lodsw 0x00000064 stc 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 mov dword ptr [ebp+122D2A26h], ecx 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 jc 00007F310118DD7Ch 0x00000079 mov dword ptr [ebp+122D2D9Dh], edx 0x0000007f nop 0x00000080 push eax 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05E54 second address: F05E58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05E58 second address: F05E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F310118DD82h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFE797 second address: EFE7AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Dh 0x00000007 ja 00007F31011E0E46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05074 second address: F050B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F310118DD76h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F310118DD87h 0x00000017 jmp 00007F310118DD86h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0520D second address: F05211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05211 second address: F05215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0536F second address: F05373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05373 second address: F05379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F054EA second address: F054F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jno 00007F31011E0E46h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0579C second address: F057BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F310118DD89h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07388 second address: F0738C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0738C second address: F073E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F310118DD85h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edx 0x00000013 jns 00007F310118DD78h 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 js 00007F310118DD80h 0x00000026 pop eax 0x00000027 jg 00007F310118DD77h 0x0000002d cmc 0x0000002e lea ebx, dword ptr [ebp+12456FF2h] 0x00000034 movzx esi, si 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F073E3 second address: F073E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07476 second address: F0747D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0747D second address: F07483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07483 second address: F07487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07487 second address: F0748B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0748B second address: F074FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 043A0E06h 0x0000000f push 00000003h 0x00000011 call 00007F310118DD88h 0x00000016 jo 00007F310118DD7Bh 0x0000001c adc si, EC8Ah 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F310118DD78h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e push 00000003h 0x00000040 jc 00007F310118DD82h 0x00000046 ja 00007F310118DD7Ch 0x0000004c push E806B644h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push edi 0x00000056 pop edi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F074FF second address: F07505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F28B17 second address: F28B33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F310118DD90h 0x0000000e js 00007F310118DD78h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF490A second address: EF490E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF490E second address: EF4918 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F310118DD76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF4918 second address: EF4924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F269E6 second address: F269FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F269FB second address: F26A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26A00 second address: F26A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Fh 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26A17 second address: F26A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B67 second address: F26B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B6D second address: F26B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E4Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B7D second address: F26BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F310118DD86h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26BA1 second address: F26BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E57h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26BBC second address: F26BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26D38 second address: F26D48 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F31011E0E48h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27403 second address: F27416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F310118DD76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27416 second address: F2742B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2742B second address: F27431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27431 second address: F2744D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E4Ch 0x00000008 ja 00007F31011E0E52h 0x0000000e ja 00007F31011E0E46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2758A second address: F27590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2784C second address: F27860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E50h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEDD83 second address: EEDD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F285F8 second address: F285FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F285FE second address: F28602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F28602 second address: F28623 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F31011E0E59h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B548 second address: F2B573 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD88h 0x00000008 jmp 00007F310118DD82h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F310118DD7Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B573 second address: F2B579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B579 second address: F2B57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BDE0 second address: F2BDEA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CFA4 second address: F2CFB2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2DFA5 second address: F2DFE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007F31011E0E4Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F31011E0E51h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2F5B7 second address: F2F5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F310118DD88h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2F5D3 second address: F2F5DD instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF1379 second address: EF1383 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F310118DD76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BBE second address: F30BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F31011E0E46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BC9 second address: F30BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F310118DD76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BD3 second address: F30BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF98FD second address: EF9906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF9906 second address: EF990A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3512F second address: F35135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35135 second address: F35139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35139 second address: F3513D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3513D second address: F3515F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F31011E0E51h 0x0000000e jbe 00007F31011E0E46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F352AB second address: F352C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F352C0 second address: F352CC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E4Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3874B second address: F38755 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38755 second address: F3875B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38BEC second address: F38BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38BF0 second address: F38C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E59h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F393B4 second address: F393BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3985B second address: F39861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39861 second address: F39872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F310118DD7Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39872 second address: F39876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39F86 second address: F39F8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39F8C second address: F39F92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9C7 second address: F3A9D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F310118DD76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9D9 second address: F3A9DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9DF second address: F3A9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BB88 second address: F3BBDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F31011E0E48h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a jmp 00007F31011E0E59h 0x0000002f push eax 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BBDD second address: F3BBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C589 second address: F3C60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F31011E0E4Bh 0x0000000c nop 0x0000000d jno 00007F31011E0E4Ch 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F31011E0E48h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f or edi, dword ptr [ebp+122D39E4h] 0x00000035 xor dword ptr [ebp+124790A5h], esi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F31011E0E48h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+122D1D24h], ebx 0x0000005d jo 00007F31011E0E4Ch 0x00000063 or esi, dword ptr [ebp+122D2A3Eh] 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d push esi 0x0000006e pop esi 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C60E second address: F3C626 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F310118DD7Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3D13F second address: F3D155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E5E3 second address: F3E659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F310118DD89h 0x00000012 push 00000000h 0x00000014 call 00007F310118DD85h 0x00000019 mov esi, edi 0x0000001b pop esi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F310118DD78h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F310118DD7Ch 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E659 second address: F3E65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA77 second address: F3FA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA86 second address: F3FA8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA8C second address: F3FA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42DC5 second address: F42E25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b mov bx, di 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F31011E0E48h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a cmc 0x0000002b mov edi, 55389E7Bh 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D20FDh], ebx 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F31011E0E57h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42178 second address: F42191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F310118DD76h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jl 00007F310118DD76h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4306E second address: F43078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F31011E0E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F48F8F second address: F48F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4802C second address: F48045 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnp 00007F31011E0E46h 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jng 00007F31011E0E4Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491AF second address: F491B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491B4 second address: F491C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491C4 second address: F491C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DD45 second address: F4DD49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF51 second address: F4AF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DF26 second address: F4DF2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF57 second address: F4AF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DF2C second address: F4DF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4FF4F second address: F4FF54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF5C second address: F4AF62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F51015 second address: F51019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF62 second address: F4AF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF66 second address: F4AF86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCDB second address: EFCCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCE4 second address: EFCCE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCE8 second address: EFCCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCEE second address: EFCCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCF4 second address: EFCCF9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCF9 second address: EFCD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 pop edx 0x0000000a push edi 0x0000000b jmp 00007F310118DD7Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F588AA second address: F588B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F58A97 second address: F58A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F58D4B second address: F58D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F31011E0E4Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F31011E0E46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E53A second address: F5E570 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F310118DD78h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 je 00007F310118DD95h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F310118DD87h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E570 second address: F5E597 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F31011E0E56h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E597 second address: F5E5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F310118DD76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E71C second address: F5E720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF2EA4 second address: EF2EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F310118DD8Bh 0x0000000b jmp 00007F310118DD82h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF2EDA second address: EF2EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62EB3 second address: F62ED4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F310118DD88h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F310118DD80h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62ED4 second address: F62ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62ED8 second address: F62EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63417 second address: F6341B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6341B second address: F6343B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD82h 0x00000007 jns 00007F310118DD76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6343B second address: F63445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F31011E0E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63445 second address: F6344F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6344F second address: F63472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E52h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c js 00007F31011E0E62h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63472 second address: F63476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63A38 second address: F63A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E52h 0x00000009 je 00007F31011E0E46h 0x0000000f popad 0x00000010 jmp 00007F31011E0E52h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F31011E0E52h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65C76 second address: F65C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65C7C second address: F65C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6493 second address: EF6497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6497 second address: EF64A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F31011E0E52h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF64A5 second address: EF64AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E09 second address: F69E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jng 00007F31011E0E46h 0x00000011 jmp 00007F31011E0E58h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E34 second address: F69E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A121 second address: F6A127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A426 second address: F6A42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A58E second address: F6A5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F31011E0E56h 0x0000000d popad 0x0000000e je 00007F31011E0E4Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A71A second address: F6A738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F310118DD82h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A738 second address: F6A73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AB6A second address: F6AB7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ACAE second address: F6ACC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F31011E0E4Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ACC4 second address: F6ACEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push edi 0x00000009 jmp 00007F310118DD87h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F310118DD76h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E493 second address: F1E497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E497 second address: F1E4C2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD76h 0x00000008 je 00007F310118DD76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F310118DD82h 0x00000015 push ebx 0x00000016 ja 00007F310118DD76h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF863 second address: EEF888 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F31011E0E57h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF888 second address: EEF88D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3716E second address: F37174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3770A second address: D83A9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dword ptr [ebp+1245214Ch], ebx 0x0000000e push dword ptr [ebp+122D0AD5h] 0x00000014 mov dword ptr [ebp+122D5981h], edx 0x0000001a call dword ptr [ebp+122D1E03h] 0x00000020 pushad 0x00000021 stc 0x00000022 xor eax, eax 0x00000024 mov dword ptr [ebp+122D2A26h], eax 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e mov dword ptr [ebp+122D2D9Dh], esi 0x00000034 mov dword ptr [ebp+122D3928h], eax 0x0000003a or dword ptr [ebp+122D2D9Dh], edx 0x00000040 mov esi, 0000003Ch 0x00000045 clc 0x00000046 add esi, dword ptr [esp+24h] 0x0000004a pushad 0x0000004b or dword ptr [ebp+122D2B97h], edi 0x00000051 pushad 0x00000052 mov eax, dword ptr [ebp+122D38ACh] 0x00000058 push ebx 0x00000059 pop esi 0x0000005a popad 0x0000005b popad 0x0000005c lodsw 0x0000005e stc 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 mov dword ptr [ebp+122D2A26h], ecx 0x00000069 mov ebx, dword ptr [esp+24h] 0x0000006d jc 00007F310118DD7Ch 0x00000073 mov dword ptr [ebp+122D2D9Dh], edx 0x00000079 nop 0x0000007a push eax 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37860 second address: F3786A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3786A second address: F3786E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37961 second address: F37965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37965 second address: F3796B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3796B second address: F37970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37BEB second address: F37BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37BF0 second address: F37C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E53h 0x0000000f push ecx 0x00000010 jnl 00007F31011E0E46h 0x00000016 pop ecx 0x00000017 popad 0x00000018 nop 0x00000019 mov dh, cl 0x0000001b push 00000004h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F31011E0E48h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov edx, dword ptr [ebp+122D38A4h] 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37C45 second address: F37C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3842D second address: F38437 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38437 second address: F384E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, 20BB5D96h 0x0000000e lea eax, dword ptr [ebp+1248703Ah] 0x00000014 or edi, 3769B924h 0x0000001a nop 0x0000001b jno 00007F310118DD80h 0x00000021 push eax 0x00000022 pushad 0x00000023 js 00007F310118DD78h 0x00000029 push edx 0x0000002a pop edx 0x0000002b jo 00007F310118DD83h 0x00000031 jmp 00007F310118DD7Dh 0x00000036 popad 0x00000037 nop 0x00000038 sub di, D2A3h 0x0000003d lea eax, dword ptr [ebp+12486FF6h] 0x00000043 push 00000000h 0x00000045 push ebp 0x00000046 call 00007F310118DD78h 0x0000004b pop ebp 0x0000004c mov dword ptr [esp+04h], ebp 0x00000050 add dword ptr [esp+04h], 00000018h 0x00000058 inc ebp 0x00000059 push ebp 0x0000005a ret 0x0000005b pop ebp 0x0000005c ret 0x0000005d nop 0x0000005e pushad 0x0000005f pushad 0x00000060 pushad 0x00000061 popad 0x00000062 jg 00007F310118DD76h 0x00000068 popad 0x00000069 jmp 00007F310118DD87h 0x0000006e popad 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F310118DD7Dh 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384E2 second address: F384E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384E8 second address: F384ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384ED second address: F1E493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E57h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov di, 7A27h 0x00000011 call dword ptr [ebp+122D2D3Ch] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F31011E0E46h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EA20 second address: F6EA2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F310118DD76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB71 second address: F6EB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB7E second address: F6EB94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Dh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB94 second address: F6EB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EE44 second address: F6EE48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F129 second address: F6F12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F3F1 second address: F6F40B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jno 00007F310118DD76h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F40B second address: F6F428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F31011E0E62h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78785 second address: F7878A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7878A second address: F78790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775B1 second address: F775B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775B7 second address: F775C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F31011E0E46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775C3 second address: F775D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F310118DD7Eh 0x0000000b jne 00007F310118DD76h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775D6 second address: F775F9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F31011E0E4Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F31011E0E46h 0x00000014 jmp 00007F31011E0E4Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77779 second address: F777A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F310118DD81h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F310118DD7Dh 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jl 00007F310118DD76h 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77ABE second address: F77AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77AC2 second address: F77ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F310118DD83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77ADB second address: F77AED instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E48h 0x00000008 jo 00007F31011E0E4Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F771F3 second address: F771F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F781A8 second address: F781AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F781AC second address: F781B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7847A second address: F78482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78482 second address: F78499 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F310118DD7Ah 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78499 second address: F784AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jp 00007F31011E0E46h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F784AA second address: F784B7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F310118DD78h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D335 second address: F7D33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D47C second address: F7D4A9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F310118DD7Ch 0x00000008 jmp 00007F310118DD86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D4A9 second address: F7D4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80424 second address: F80428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80428 second address: F80468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F31011E0E59h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F31011E0E56h 0x00000013 popad 0x00000014 pop edx 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80468 second address: F8046E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD48 second address: F7FD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD4C second address: F7FD50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FEAA second address: F7FEAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FEAE second address: F7FEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80025 second address: F8004A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F31011E0E57h 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8004A second address: F80052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80052 second address: F80056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F844F9 second address: F84515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F310118DD87h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F84515 second address: F8451B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8499B second address: F8499F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A446 second address: F8A44A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A44A second address: F8A44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A44E second address: F8A458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88D56 second address: F88D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88EF6 second address: F88EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88EFE second address: F88F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89350 second address: F89354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37E12 second address: F37E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37EEF second address: F37EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F31011E0E4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A0F7 second address: F8A118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F310118DD88h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A118 second address: F8A130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jo 00007F31011E0E48h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A130 second address: F8A134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A134 second address: F8A15E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E46h 0x00000008 jmp 00007F31011E0E58h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F31011E0E46h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A15E second address: F8A17F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Dh 0x00000007 jmp 00007F310118DD80h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8DF9F second address: F8DFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E4Ah 0x00000009 jmp 00007F31011E0E54h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F31011E0E4Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2B5 second address: F8E2BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2BE second address: F8E2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F31011E0E46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2C9 second address: F8E2DB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD78h 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F310118DD76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2DB second address: F8E33E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F31011E0E46h 0x00000008 jmp 00007F31011E0E53h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edx 0x00000013 jmp 00007F31011E0E55h 0x00000018 pop edx 0x00000019 jns 00007F31011E0E61h 0x0000001f jp 00007F31011E0E48h 0x00000025 push esi 0x00000026 pop esi 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96F4E second address: F96F65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F310118DD7Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9511F second address: F95144 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jns 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F31011E0E56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F95D22 second address: F95D2E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96024 second address: F9603C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9603C second address: F9605C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jng 00007F310118DD99h 0x0000000d jmp 00007F310118DD7Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9630E second address: F96347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F31011E0E56h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007F31011E0E46h 0x00000022 jnl 00007F31011E0E46h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96347 second address: F9634B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C37 second address: F96C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C3B second address: F96C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C46 second address: F96C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C4C second address: F96C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C57 second address: F96C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C5B second address: F96C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9E522 second address: F9E528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9E6A2 second address: F9E6C0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F310118DD76h 0x00000008 jnp 00007F310118DD76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jns 00007F310118DD76h 0x00000017 ja 00007F310118DD76h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9EC43 second address: F9EC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94DF second address: FA94E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94E3 second address: FA94E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94E8 second address: FA94FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ch 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94FD second address: FA952E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F31011E0E51h 0x00000016 popad 0x00000017 jnp 00007F31011E0E4Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA952E second address: FA9538 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96BC second address: FA96C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96C0 second address: FA96C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96C4 second address: FA96E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F31011E0E52h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96E2 second address: FA96E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96E7 second address: FA96F7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F31011E0E48h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9B29 second address: FA9B37 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9B37 second address: FA9B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9DE7 second address: FA9DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9DEB second address: FA9DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9F61 second address: FA9F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAADC6 second address: FAADCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAADCA second address: FAADE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F310118DD7Bh 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB0178 second address: FB018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F31011E0E46h 0x0000000a jns 00007F31011E0E46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB018A second address: FB018F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB02BC second address: FB02C6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD021 second address: FBD02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFDF8 second address: FBFE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC75E9 second address: FC75EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC75EF second address: FC7621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F31011E0E4Ch 0x0000000a jmp 00007F31011E0E50h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F31011E0E4Eh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7621 second address: FC762A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC762A second address: FC7630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD001B second address: FD0038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F310118DD88h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0038 second address: FD0044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0044 second address: FD0048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39D1 second address: FD39D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39D6 second address: FD39DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39DC second address: FD3A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E4Dh 0x0000000f jmp 00007F31011E0E53h 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F31011E0E46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD3A0E second address: FD3A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD3A18 second address: FD3A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9098 second address: FD90AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F310118DD7Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD90AC second address: FD90B6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7912 second address: FD791C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F310118DD82h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD791C second address: FD7922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7922 second address: FD7929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7929 second address: FD7969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F31011E0E46h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F31011E0E58h 0x00000019 jmp 00007F31011E0E53h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7969 second address: FD7987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F310118DD76h 0x0000000a jmp 00007F310118DD84h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7987 second address: FD798D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AC7 second address: FD7ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7ACF second address: FD7AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AD4 second address: FD7AEE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F310118DD81h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AEE second address: FD7AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AF4 second address: FD7B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d js 00007F310118DD7Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DA4 second address: FD7DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DAA second address: FD7DBE instructions: 0x00000000 rdtsc 0x00000002 js 00007F310118DD76h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F310118DD76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DBE second address: FD7DDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F31 second address: FD7F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F310118DD76h 0x0000000a jmp 00007F310118DD86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F53 second address: FD7F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F58 second address: FD7F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD80DE second address: FD80E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD80E6 second address: FD80ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8264 second address: FD8268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8268 second address: FD8299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F310118DD80h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F310118DD80h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83E4 second address: FD83F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jp 00007F31011E0E46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83F6 second address: FD83FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83FA second address: FD8400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8DB7 second address: FD8DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDCDF4 second address: FDCE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F31011E0E55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F31011E0E5Ah 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F31011E0E52h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ebx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jl 00007F31011E0E46h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDCE3A second address: FDCE64 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F310118DD82h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F310118DD82h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FED5B7 second address: FED5BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FED5BB second address: FED5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jl 00007F310118DD82h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101216C second address: 101218A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F31011E0E46h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F31011E0E52h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101243F second address: 1012443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012443 second address: 1012457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F31011E0E48h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012457 second address: 1012476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F310118DD76h 0x0000000a jmp 00007F310118DD85h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012476 second address: 101247A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101247A second address: 1012488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012488 second address: 101248C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101248C second address: 101249E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F310118DD7Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101249E second address: 10124BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E58h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10129F8 second address: 1012A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B92 second address: 1012B9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B9C second address: 1012BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BA0 second address: 1012BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F31011E0E53h 0x0000000d popad 0x0000000e pushad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012D1B second address: 1012D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012E97 second address: 1012EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EA3 second address: 1012EAD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F310118DD7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EAD second address: 1012EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EBA second address: 1012EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F310118DD76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EC8 second address: 1012ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F31011E0E46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015EF3 second address: 1015F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F310118DD7Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F04 second address: 1015F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F08 second address: 1015F5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx edx, cx 0x0000000d push 00000004h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F310118DD78h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 65426583h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push edi 0x00000032 pop edi 0x00000033 jmp 00007F310118DD81h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F5C second address: 1015F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016184 second address: 1016188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016188 second address: 1016193 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016193 second address: 10161A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F310118DD76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161A3 second address: 10161B0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161B0 second address: 10161FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F310118DD76h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F310118DD78h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D216Fh], edx 0x0000002d mov dx, bx 0x00000030 push dword ptr [ebp+122D2C32h] 0x00000036 add edx, dword ptr [ebp+122D3688h] 0x0000003c push 60DF20B3h 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 push ebx 0x00000045 pop ebx 0x00000046 pop ebx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161FD second address: 1016203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A8E5 second address: 101A947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Ch 0x00000007 jmp 00007F310118DD82h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007F310118DD87h 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F310118DD89h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 jp 00007F310118DD76h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A947 second address: 101A951 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F31011E0E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5040DDB second address: 5040DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D83A59 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D83B24 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F2B6EB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FB6A92 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 6312

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000003.2300513851.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000001.00000002.2303667116.000000000139E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`x@

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00D65BB0 LdrInitializeThunk,

1_2_00D65BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: UProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true
eaglepawnoy.store	unknown	unknown
bathdoomgaz.store	unknown	unknown
spirittunek.store	unknown	unknown
licendfilteo.site	unknown	unknown
studennotediw.store	unknown	unknown
mobbipenju.store	unknown	unknown
clearancek.site	unknown	unknown
dissapoiznw.store	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true		unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.4892.1.memstrmin

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49733 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D650FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D2D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D2D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_00D663B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_00D699D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	1_2_00D6695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_00D2FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_00D30EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D66094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_00D64040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	1_2_00D21000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	1_2_00D5F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_00D36F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00D4D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D342FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00D42260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	1_2_00D42260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	1_2_00D2A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_00D664B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D3D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	1_2_00D61440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00D4C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	1_2_00D3B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	1_2_00D28590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D49510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D36536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	1_2_00D67520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00D5B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_00D667EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	1_2_00D67710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D65700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00D428E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	1_2_00D249A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	1_2_00D3D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	1_2_00D63920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D31ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	1_2_00D25A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_00D64A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D31A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D33BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_00D31BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00D50B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_00D69B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D69CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	1_2_00D69CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D4AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	1_2_00D4AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	1_2_00D4EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	1_2_00D47C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	1_2_00D5FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D68D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	1_2_00D4FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_00D31E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	1_2_00D2BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	1_2_00D36EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00D26EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	1_2_00D4AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D45E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D47E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	1_2_00D34E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D65FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D28FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	1_2_00D3FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_00D36F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D5FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D49F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:50427 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:55376 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:59002 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:63231 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:64231 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:62421 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:58058 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:63272 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: licendfilteo.site

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000001.00000003.2301846274.0000000001461000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303959573.0000000001462000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301661776.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ htt equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=7cdaee4fd9ae6b2071faa6aa; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 15:08:23 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlG equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ps://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/I
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000001.00000003.2300513851.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49733 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D30228	1_2_00D30228
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D6A0D0	1_2_00D6A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D64040	1_2_00D64040
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D21000	1_2_00D21000
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D32030	1_2_00D32030
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D271F0	1_2_00D271F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D	1_2_00E1B18D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2E1A0	1_2_00D2E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B	1_2_00EF714B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D25160	1_2_00D25160
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DDA10B	1_2_00DDA10B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D582D0	1_2_00D582D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D512D0	1_2_00D512D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D212F7	1_2_00D212F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EEE2A2	1_2_00EEE2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFD22F	1_2_00EFD22F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D523E0	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D213A3	1_2_00D213A3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2B3A0	1_2_00D2B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF3391	1_2_00EF3391
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00ED0326	1_2_00ED0326
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2A300	1_2_00D2A300
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF833B	1_2_00EF833B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D564F0	1_2_00D564F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3049B	1_2_00D3049B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D34487	1_2_00D34487
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4C470	1_2_00D4C470
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3C5F0	1_2_00D3C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D28590	1_2_00D28590
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D235B0	1_2_00D235B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E27531	1_2_00E27531
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D686F0	1_2_00D686F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68652	1_2_00D68652
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2164F	1_2_00D2164F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5F620	1_2_00D5F620
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F007DA	1_2_00F007DA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5B8C0	1_2_00D5B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5E8A0	1_2_00D5E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2A850	1_2_00D2A850
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFB865	1_2_00EFB865
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D51860	1_2_00D51860
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4098B	1_2_00D4098B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D689A0	1_2_00D689A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F6B91D	1_2_00F6B91D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68A80	1_2_00D68A80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D67AB0	1_2_00D67AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D64A40	1_2_00D64A40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE9A49	1_2_00EE9A49
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D27BF0	1_2_00D27BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3DB6F	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4CCD0	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F8BCAC	1_2_00F8BCAC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D66CBF	1_2_00D66CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFEC65	1_2_00EFEC65
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68C02	1_2_00D68C02
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E98C03	1_2_00E98C03
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EEFD72	1_2_00EEFD72
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D48D62	1_2_00D48D62
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4FD10	1_2_00D4FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4DD29	1_2_00D4DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2BEB0	1_2_00D2BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D36EBF	1_2_00D36EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4AE57	1_2_00D4AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68E70	1_2_00D68E70
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D34E2A	1_2_00D34E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D28FD0	1_2_00D28FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D67FC0	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2AF10	1_2_00D2AF10

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D3D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D2CAA0 appears 48 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994649855610561
Source: file.exe	Static PE information: Section: cbcphhfl ZLIB complexity 0.9938742351062192

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00D58220 CoCreateInstance,

1_2_00D58220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1832960 > 1048576

Source: file.exe

Static PE information: Raw size of cbcphhfl is bigger than: 0x100000 < 0x196000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.d20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;cbcphhfl:EW;zbkgdmce:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;cbcphhfl:EW;zbkgdmce:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c2002 should be: 0x1ceee6

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: cbcphhfl
Source: file.exe	Static PE information: section name: zbkgdmce
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FC70F9 push edx; mov dword ptr [esp], ebx	1_2_00FC711C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F650E6 push 1E6F9DA3h; mov dword ptr [esp], eax	1_2_00F65007
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FBF0BC push eax; mov dword ptr [esp], esi	1_2_00FBF20D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FBF0BC push ebx; mov dword ptr [esp], ecx	1_2_00FBF211
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1C080 push eax; mov dword ptr [esp], ecx	1_2_00F1C0BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1C080 push 17518A61h; mov dword ptr [esp], edx	1_2_00F1C0DE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1B08C push ebp; mov dword ptr [esp], edx	1_2_00F1B01A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1B08C push 7F3A5093h; mov dword ptr [esp], eax	1_2_00F1B0BC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push 34C7DC77h; mov dword ptr [esp], edi	1_2_00F2805A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push ebp; mov dword ptr [esp], esi	1_2_00F2809E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push edx; mov dword ptr [esp], edi	1_2_00F280BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push edx; mov dword ptr [esp], esi	1_2_00F280E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push 6591B56Dh; mov dword ptr [esp], edx	1_2_00F28100
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push ebp; mov dword ptr [esp], 59FF29AAh	1_2_011BA1B7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push eax; mov dword ptr [esp], 2F37F803h	1_2_011BA1C9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push 19A94B32h; mov dword ptr [esp], ecx	1_2_011BA273
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push edx; mov dword ptr [esp], ecx	1_2_011BA2D4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F8F01D push edi; mov dword ptr [esp], eax	1_2_00F8F1E3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FC000E push eax; mov dword ptr [esp], ebx	1_2_00FC0032
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push 53951845h; mov dword ptr [esp], ebp	1_2_00FAB234
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push ebx; mov dword ptr [esp], 4E54FDE6h	1_2_00FAB2AA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push 113215CEh; mov dword ptr [esp], esp	1_2_00FAB2CA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push eax; mov dword ptr [esp], ebp	1_2_00E1B1A4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 1B5EAE3Fh; mov dword ptr [esp], esp	1_2_00E1B1AC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 6432BD90h; mov dword ptr [esp], esi	1_2_00E1B212
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 6A0B9914h; mov dword ptr [esp], edi	1_2_00E1B22D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 09F99E72h; mov dword ptr [esp], ebx	1_2_00E1B2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push eax; mov dword ptr [esp], esi	1_2_00E1B302
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push ebp; mov dword ptr [esp], ecx	1_2_00E1B366
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B push 259C4982h; mov dword ptr [esp], eax	1_2_00EF7165
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B push ebp; mov dword ptr [esp], edx	1_2_00EF716F

Source: file.exe	Static PE information: section name: entropy: 7.982307743980005
Source: file.exe	Static PE information: section name: cbcphhfl entropy: 7.954080802016992

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8426B second address: D83A9D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F310118DD76h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F310118DD85h 0x00000012 nop 0x00000013 cld 0x00000014 push dword ptr [ebp+122D0AD5h] 0x0000001a mov dword ptr [ebp+122D1B63h], eax 0x00000020 call dword ptr [ebp+122D1E03h] 0x00000026 pushad 0x00000027 stc 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D2A26h], eax 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 mov dword ptr [ebp+122D2D9Dh], esi 0x0000003a mov dword ptr [ebp+122D3928h], eax 0x00000040 or dword ptr [ebp+122D2D9Dh], edx 0x00000046 mov esi, 0000003Ch 0x0000004b clc 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 pushad 0x00000051 or dword ptr [ebp+122D2B97h], edi 0x00000057 pushad 0x00000058 mov eax, dword ptr [ebp+122D38ACh] 0x0000005e push ebx 0x0000005f pop esi 0x00000060 popad 0x00000061 popad 0x00000062 lodsw 0x00000064 stc 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 mov dword ptr [ebp+122D2A26h], ecx 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 jc 00007F310118DD7Ch 0x00000079 mov dword ptr [ebp+122D2D9Dh], edx 0x0000007f nop 0x00000080 push eax 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05E54 second address: F05E58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05E58 second address: F05E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F310118DD82h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFE797 second address: EFE7AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Dh 0x00000007 ja 00007F31011E0E46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05074 second address: F050B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F310118DD76h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F310118DD87h 0x00000017 jmp 00007F310118DD86h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0520D second address: F05211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05211 second address: F05215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0536F second address: F05373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05373 second address: F05379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F054EA second address: F054F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jno 00007F31011E0E46h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0579C second address: F057BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F310118DD89h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07388 second address: F0738C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0738C second address: F073E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F310118DD85h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edx 0x00000013 jns 00007F310118DD78h 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 js 00007F310118DD80h 0x00000026 pop eax 0x00000027 jg 00007F310118DD77h 0x0000002d cmc 0x0000002e lea ebx, dword ptr [ebp+12456FF2h] 0x00000034 movzx esi, si 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F073E3 second address: F073E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07476 second address: F0747D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0747D second address: F07483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07483 second address: F07487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07487 second address: F0748B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0748B second address: F074FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 043A0E06h 0x0000000f push 00000003h 0x00000011 call 00007F310118DD88h 0x00000016 jo 00007F310118DD7Bh 0x0000001c adc si, EC8Ah 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F310118DD78h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e push 00000003h 0x00000040 jc 00007F310118DD82h 0x00000046 ja 00007F310118DD7Ch 0x0000004c push E806B644h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push edi 0x00000056 pop edi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F074FF second address: F07505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F28B17 second address: F28B33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F310118DD90h 0x0000000e js 00007F310118DD78h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF490A second address: EF490E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF490E second address: EF4918 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F310118DD76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF4918 second address: EF4924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F269E6 second address: F269FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F269FB second address: F26A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26A00 second address: F26A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Fh 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26A17 second address: F26A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B67 second address: F26B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B6D second address: F26B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E4Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B7D second address: F26BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F310118DD86h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26BA1 second address: F26BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E57h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26BBC second address: F26BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26D38 second address: F26D48 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F31011E0E48h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27403 second address: F27416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F310118DD76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27416 second address: F2742B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2742B second address: F27431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27431 second address: F2744D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E4Ch 0x00000008 ja 00007F31011E0E52h 0x0000000e ja 00007F31011E0E46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2758A second address: F27590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2784C second address: F27860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E50h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEDD83 second address: EEDD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F285F8 second address: F285FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F285FE second address: F28602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F28602 second address: F28623 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F31011E0E59h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B548 second address: F2B573 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD88h 0x00000008 jmp 00007F310118DD82h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F310118DD7Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B573 second address: F2B579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B579 second address: F2B57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BDE0 second address: F2BDEA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CFA4 second address: F2CFB2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2DFA5 second address: F2DFE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007F31011E0E4Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F31011E0E51h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2F5B7 second address: F2F5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F310118DD88h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2F5D3 second address: F2F5DD instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF1379 second address: EF1383 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F310118DD76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BBE second address: F30BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F31011E0E46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BC9 second address: F30BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F310118DD76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BD3 second address: F30BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF98FD second address: EF9906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF9906 second address: EF990A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3512F second address: F35135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35135 second address: F35139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35139 second address: F3513D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3513D second address: F3515F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F31011E0E51h 0x0000000e jbe 00007F31011E0E46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F352AB second address: F352C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F352C0 second address: F352CC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E4Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3874B second address: F38755 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38755 second address: F3875B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38BEC second address: F38BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38BF0 second address: F38C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E59h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F393B4 second address: F393BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3985B second address: F39861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39861 second address: F39872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F310118DD7Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39872 second address: F39876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39F86 second address: F39F8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39F8C second address: F39F92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9C7 second address: F3A9D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F310118DD76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9D9 second address: F3A9DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9DF second address: F3A9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BB88 second address: F3BBDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F31011E0E48h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a jmp 00007F31011E0E59h 0x0000002f push eax 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BBDD second address: F3BBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C589 second address: F3C60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F31011E0E4Bh 0x0000000c nop 0x0000000d jno 00007F31011E0E4Ch 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F31011E0E48h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f or edi, dword ptr [ebp+122D39E4h] 0x00000035 xor dword ptr [ebp+124790A5h], esi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F31011E0E48h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+122D1D24h], ebx 0x0000005d jo 00007F31011E0E4Ch 0x00000063 or esi, dword ptr [ebp+122D2A3Eh] 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d push esi 0x0000006e pop esi 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C60E second address: F3C626 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F310118DD7Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3D13F second address: F3D155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E5E3 second address: F3E659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F310118DD89h 0x00000012 push 00000000h 0x00000014 call 00007F310118DD85h 0x00000019 mov esi, edi 0x0000001b pop esi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F310118DD78h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F310118DD7Ch 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E659 second address: F3E65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA77 second address: F3FA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA86 second address: F3FA8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA8C second address: F3FA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42DC5 second address: F42E25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b mov bx, di 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F31011E0E48h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a cmc 0x0000002b mov edi, 55389E7Bh 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D20FDh], ebx 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F31011E0E57h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42178 second address: F42191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F310118DD76h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jl 00007F310118DD76h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4306E second address: F43078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F31011E0E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F48F8F second address: F48F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4802C second address: F48045 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnp 00007F31011E0E46h 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jng 00007F31011E0E4Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491AF second address: F491B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491B4 second address: F491C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491C4 second address: F491C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DD45 second address: F4DD49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF51 second address: F4AF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DF26 second address: F4DF2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF57 second address: F4AF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DF2C second address: F4DF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4FF4F second address: F4FF54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF5C second address: F4AF62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F51015 second address: F51019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF62 second address: F4AF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF66 second address: F4AF86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCDB second address: EFCCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCE4 second address: EFCCE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCE8 second address: EFCCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCEE second address: EFCCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCF4 second address: EFCCF9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCF9 second address: EFCD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 pop edx 0x0000000a push edi 0x0000000b jmp 00007F310118DD7Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F588AA second address: F588B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F58A97 second address: F58A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F58D4B second address: F58D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F31011E0E4Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F31011E0E46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E53A second address: F5E570 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F310118DD78h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 je 00007F310118DD95h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F310118DD87h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E570 second address: F5E597 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F31011E0E56h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E597 second address: F5E5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F310118DD76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E71C second address: F5E720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF2EA4 second address: EF2EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F310118DD8Bh 0x0000000b jmp 00007F310118DD82h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF2EDA second address: EF2EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62EB3 second address: F62ED4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F310118DD88h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F310118DD80h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62ED4 second address: F62ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62ED8 second address: F62EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63417 second address: F6341B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6341B second address: F6343B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD82h 0x00000007 jns 00007F310118DD76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6343B second address: F63445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F31011E0E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63445 second address: F6344F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6344F second address: F63472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E52h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c js 00007F31011E0E62h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63472 second address: F63476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63A38 second address: F63A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E52h 0x00000009 je 00007F31011E0E46h 0x0000000f popad 0x00000010 jmp 00007F31011E0E52h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F31011E0E52h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65C76 second address: F65C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65C7C second address: F65C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6493 second address: EF6497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6497 second address: EF64A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F31011E0E52h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF64A5 second address: EF64AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E09 second address: F69E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jng 00007F31011E0E46h 0x00000011 jmp 00007F31011E0E58h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E34 second address: F69E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A121 second address: F6A127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A426 second address: F6A42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A58E second address: F6A5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F31011E0E56h 0x0000000d popad 0x0000000e je 00007F31011E0E4Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A71A second address: F6A738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F310118DD82h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A738 second address: F6A73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AB6A second address: F6AB7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ACAE second address: F6ACC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F31011E0E4Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ACC4 second address: F6ACEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push edi 0x00000009 jmp 00007F310118DD87h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F310118DD76h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E493 second address: F1E497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E497 second address: F1E4C2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD76h 0x00000008 je 00007F310118DD76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F310118DD82h 0x00000015 push ebx 0x00000016 ja 00007F310118DD76h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF863 second address: EEF888 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F31011E0E57h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF888 second address: EEF88D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3716E second address: F37174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3770A second address: D83A9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dword ptr [ebp+1245214Ch], ebx 0x0000000e push dword ptr [ebp+122D0AD5h] 0x00000014 mov dword ptr [ebp+122D5981h], edx 0x0000001a call dword ptr [ebp+122D1E03h] 0x00000020 pushad 0x00000021 stc 0x00000022 xor eax, eax 0x00000024 mov dword ptr [ebp+122D2A26h], eax 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e mov dword ptr [ebp+122D2D9Dh], esi 0x00000034 mov dword ptr [ebp+122D3928h], eax 0x0000003a or dword ptr [ebp+122D2D9Dh], edx 0x00000040 mov esi, 0000003Ch 0x00000045 clc 0x00000046 add esi, dword ptr [esp+24h] 0x0000004a pushad 0x0000004b or dword ptr [ebp+122D2B97h], edi 0x00000051 pushad 0x00000052 mov eax, dword ptr [ebp+122D38ACh] 0x00000058 push ebx 0x00000059 pop esi 0x0000005a popad 0x0000005b popad 0x0000005c lodsw 0x0000005e stc 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 mov dword ptr [ebp+122D2A26h], ecx 0x00000069 mov ebx, dword ptr [esp+24h] 0x0000006d jc 00007F310118DD7Ch 0x00000073 mov dword ptr [ebp+122D2D9Dh], edx 0x00000079 nop 0x0000007a push eax 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37860 second address: F3786A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3786A second address: F3786E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37961 second address: F37965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37965 second address: F3796B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3796B second address: F37970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37BEB second address: F37BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37BF0 second address: F37C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E53h 0x0000000f push ecx 0x00000010 jnl 00007F31011E0E46h 0x00000016 pop ecx 0x00000017 popad 0x00000018 nop 0x00000019 mov dh, cl 0x0000001b push 00000004h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F31011E0E48h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov edx, dword ptr [ebp+122D38A4h] 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37C45 second address: F37C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3842D second address: F38437 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38437 second address: F384E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, 20BB5D96h 0x0000000e lea eax, dword ptr [ebp+1248703Ah] 0x00000014 or edi, 3769B924h 0x0000001a nop 0x0000001b jno 00007F310118DD80h 0x00000021 push eax 0x00000022 pushad 0x00000023 js 00007F310118DD78h 0x00000029 push edx 0x0000002a pop edx 0x0000002b jo 00007F310118DD83h 0x00000031 jmp 00007F310118DD7Dh 0x00000036 popad 0x00000037 nop 0x00000038 sub di, D2A3h 0x0000003d lea eax, dword ptr [ebp+12486FF6h] 0x00000043 push 00000000h 0x00000045 push ebp 0x00000046 call 00007F310118DD78h 0x0000004b pop ebp 0x0000004c mov dword ptr [esp+04h], ebp 0x00000050 add dword ptr [esp+04h], 00000018h 0x00000058 inc ebp 0x00000059 push ebp 0x0000005a ret 0x0000005b pop ebp 0x0000005c ret 0x0000005d nop 0x0000005e pushad 0x0000005f pushad 0x00000060 pushad 0x00000061 popad 0x00000062 jg 00007F310118DD76h 0x00000068 popad 0x00000069 jmp 00007F310118DD87h 0x0000006e popad 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F310118DD7Dh 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384E2 second address: F384E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384E8 second address: F384ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384ED second address: F1E493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E57h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov di, 7A27h 0x00000011 call dword ptr [ebp+122D2D3Ch] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F31011E0E46h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EA20 second address: F6EA2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F310118DD76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB71 second address: F6EB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB7E second address: F6EB94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Dh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB94 second address: F6EB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EE44 second address: F6EE48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F129 second address: F6F12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F3F1 second address: F6F40B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jno 00007F310118DD76h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F40B second address: F6F428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F31011E0E62h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78785 second address: F7878A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7878A second address: F78790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775B1 second address: F775B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775B7 second address: F775C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F31011E0E46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775C3 second address: F775D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F310118DD7Eh 0x0000000b jne 00007F310118DD76h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775D6 second address: F775F9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F31011E0E4Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F31011E0E46h 0x00000014 jmp 00007F31011E0E4Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77779 second address: F777A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F310118DD81h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F310118DD7Dh 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jl 00007F310118DD76h 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77ABE second address: F77AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77AC2 second address: F77ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F310118DD83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77ADB second address: F77AED instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E48h 0x00000008 jo 00007F31011E0E4Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F771F3 second address: F771F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F781A8 second address: F781AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F781AC second address: F781B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7847A second address: F78482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78482 second address: F78499 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F310118DD7Ah 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78499 second address: F784AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jp 00007F31011E0E46h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F784AA second address: F784B7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F310118DD78h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D335 second address: F7D33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D47C second address: F7D4A9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F310118DD7Ch 0x00000008 jmp 00007F310118DD86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D4A9 second address: F7D4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80424 second address: F80428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80428 second address: F80468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F31011E0E59h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F31011E0E56h 0x00000013 popad 0x00000014 pop edx 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80468 second address: F8046E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD48 second address: F7FD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD4C second address: F7FD50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FEAA second address: F7FEAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FEAE second address: F7FEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80025 second address: F8004A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F31011E0E57h 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8004A second address: F80052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80052 second address: F80056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F844F9 second address: F84515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F310118DD87h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F84515 second address: F8451B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8499B second address: F8499F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A446 second address: F8A44A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A44A second address: F8A44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A44E second address: F8A458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88D56 second address: F88D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88EF6 second address: F88EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88EFE second address: F88F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89350 second address: F89354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37E12 second address: F37E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37EEF second address: F37EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F31011E0E4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A0F7 second address: F8A118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F310118DD88h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A118 second address: F8A130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jo 00007F31011E0E48h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A130 second address: F8A134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A134 second address: F8A15E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E46h 0x00000008 jmp 00007F31011E0E58h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F31011E0E46h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A15E second address: F8A17F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Dh 0x00000007 jmp 00007F310118DD80h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8DF9F second address: F8DFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E4Ah 0x00000009 jmp 00007F31011E0E54h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F31011E0E4Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2B5 second address: F8E2BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2BE second address: F8E2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F31011E0E46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2C9 second address: F8E2DB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD78h 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F310118DD76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2DB second address: F8E33E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F31011E0E46h 0x00000008 jmp 00007F31011E0E53h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edx 0x00000013 jmp 00007F31011E0E55h 0x00000018 pop edx 0x00000019 jns 00007F31011E0E61h 0x0000001f jp 00007F31011E0E48h 0x00000025 push esi 0x00000026 pop esi 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96F4E second address: F96F65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F310118DD7Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9511F second address: F95144 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jns 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F31011E0E56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F95D22 second address: F95D2E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96024 second address: F9603C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9603C second address: F9605C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jng 00007F310118DD99h 0x0000000d jmp 00007F310118DD7Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9630E second address: F96347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F31011E0E56h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007F31011E0E46h 0x00000022 jnl 00007F31011E0E46h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96347 second address: F9634B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C37 second address: F96C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C3B second address: F96C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C46 second address: F96C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C4C second address: F96C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C57 second address: F96C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C5B second address: F96C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9E522 second address: F9E528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9E6A2 second address: F9E6C0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F310118DD76h 0x00000008 jnp 00007F310118DD76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jns 00007F310118DD76h 0x00000017 ja 00007F310118DD76h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9EC43 second address: F9EC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94DF second address: FA94E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94E3 second address: FA94E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94E8 second address: FA94FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ch 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94FD second address: FA952E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F31011E0E51h 0x00000016 popad 0x00000017 jnp 00007F31011E0E4Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA952E second address: FA9538 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96BC second address: FA96C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96C0 second address: FA96C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96C4 second address: FA96E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F31011E0E52h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96E2 second address: FA96E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96E7 second address: FA96F7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F31011E0E48h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9B29 second address: FA9B37 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9B37 second address: FA9B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9DE7 second address: FA9DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9DEB second address: FA9DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9F61 second address: FA9F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAADC6 second address: FAADCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAADCA second address: FAADE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F310118DD7Bh 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB0178 second address: FB018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F31011E0E46h 0x0000000a jns 00007F31011E0E46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB018A second address: FB018F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB02BC second address: FB02C6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD021 second address: FBD02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFDF8 second address: FBFE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC75E9 second address: FC75EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC75EF second address: FC7621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F31011E0E4Ch 0x0000000a jmp 00007F31011E0E50h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F31011E0E4Eh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7621 second address: FC762A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC762A second address: FC7630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD001B second address: FD0038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F310118DD88h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0038 second address: FD0044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0044 second address: FD0048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39D1 second address: FD39D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39D6 second address: FD39DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39DC second address: FD3A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E4Dh 0x0000000f jmp 00007F31011E0E53h 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F31011E0E46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD3A0E second address: FD3A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD3A18 second address: FD3A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9098 second address: FD90AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F310118DD7Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD90AC second address: FD90B6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7912 second address: FD791C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F310118DD82h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD791C second address: FD7922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7922 second address: FD7929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7929 second address: FD7969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F31011E0E46h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F31011E0E58h 0x00000019 jmp 00007F31011E0E53h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7969 second address: FD7987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F310118DD76h 0x0000000a jmp 00007F310118DD84h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7987 second address: FD798D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AC7 second address: FD7ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7ACF second address: FD7AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AD4 second address: FD7AEE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F310118DD81h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AEE second address: FD7AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AF4 second address: FD7B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d js 00007F310118DD7Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DA4 second address: FD7DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DAA second address: FD7DBE instructions: 0x00000000 rdtsc 0x00000002 js 00007F310118DD76h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F310118DD76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DBE second address: FD7DDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F31 second address: FD7F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F310118DD76h 0x0000000a jmp 00007F310118DD86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F53 second address: FD7F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F58 second address: FD7F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD80DE second address: FD80E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD80E6 second address: FD80ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8264 second address: FD8268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8268 second address: FD8299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F310118DD80h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F310118DD80h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83E4 second address: FD83F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jp 00007F31011E0E46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83F6 second address: FD83FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83FA second address: FD8400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8DB7 second address: FD8DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDCDF4 second address: FDCE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F31011E0E55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F31011E0E5Ah 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F31011E0E52h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ebx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jl 00007F31011E0E46h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDCE3A second address: FDCE64 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F310118DD82h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F310118DD82h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FED5B7 second address: FED5BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FED5BB second address: FED5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jl 00007F310118DD82h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101216C second address: 101218A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F31011E0E46h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F31011E0E52h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101243F second address: 1012443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012443 second address: 1012457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F31011E0E48h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012457 second address: 1012476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F310118DD76h 0x0000000a jmp 00007F310118DD85h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012476 second address: 101247A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101247A second address: 1012488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012488 second address: 101248C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101248C second address: 101249E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F310118DD7Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101249E second address: 10124BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E58h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10129F8 second address: 1012A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B92 second address: 1012B9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B9C second address: 1012BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BA0 second address: 1012BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F31011E0E53h 0x0000000d popad 0x0000000e pushad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012D1B second address: 1012D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012E97 second address: 1012EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EA3 second address: 1012EAD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F310118DD7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EAD second address: 1012EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EBA second address: 1012EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F310118DD76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EC8 second address: 1012ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F31011E0E46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015EF3 second address: 1015F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F310118DD7Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F04 second address: 1015F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F08 second address: 1015F5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx edx, cx 0x0000000d push 00000004h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F310118DD78h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 65426583h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push edi 0x00000032 pop edi 0x00000033 jmp 00007F310118DD81h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F5C second address: 1015F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016184 second address: 1016188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016188 second address: 1016193 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016193 second address: 10161A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F310118DD76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161A3 second address: 10161B0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161B0 second address: 10161FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F310118DD76h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F310118DD78h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D216Fh], edx 0x0000002d mov dx, bx 0x00000030 push dword ptr [ebp+122D2C32h] 0x00000036 add edx, dword ptr [ebp+122D3688h] 0x0000003c push 60DF20B3h 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 push ebx 0x00000045 pop ebx 0x00000046 pop ebx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161FD second address: 1016203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A8E5 second address: 101A947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Ch 0x00000007 jmp 00007F310118DD82h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007F310118DD87h 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F310118DD89h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 jp 00007F310118DD76h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A947 second address: 101A951 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F31011E0E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5040DDB second address: 5040DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D83A59 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D83B24 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F2B6EB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FB6A92 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 6312

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000003.2300513851.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000001.00000002.2303667116.000000000139E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`x@

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00D65BB0 LdrInitializeThunk,

1_2_00D65BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: UProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

ID:	1528226
Product:	CloudBasic
Start time:	17:07:10
Start date:	07.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6143162264c50290f1925ce5713b921a
SHA1:	949da180ccf993c11c9e104f38402d891526d9ae
SHA256:	d6d5c6f5f79e371a818ecb16931b1f73461c4585479d794c7c4146d7a55dc069
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by