Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1529190
MD5:	59c457152e84c2e83bb22799dda88a9d
SHA1:	bdff2120b60a7f4aa314fa2b4bb9d17b6e08ad40
SHA256:	9ebca3ec6dfea0b0b7651f739ee00adc72de0984a943f855bb5cde41198cc4bf
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.5084.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["bathdoomgaz.storec", "clearancek.site", "mobbipenju.store", "licendfilteo.sitec", "studennotediw.storec", "dissapoiznw.storec", "eaglepawnoy.storec", "spirittunek.storec"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.8:49708 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E3D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E3D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00E763B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E75700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00E799D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00E7695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00E3FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00E40EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00E76094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00E74040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00E46F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00E6F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00E31000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00E5D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00E442FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00E52260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00E52260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00E3A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00E764B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00E5C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00E71440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00E4D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00E5E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00E4B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00E38590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00E77520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00E46536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00E59510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00E5E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00E6B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00E767EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00E5D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00E77710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00E528E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00E349A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00E4D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00E73920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00E41ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00E74A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00E35A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00E41A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00E43BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00E41BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00E60B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00E79B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00E4DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00E4DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E79CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00E79CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00E5CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E5CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00E5CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00E5AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00E5AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00E5EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00E6FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00E57C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E78D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00E5DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00E5FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00E36EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00E3BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00E46EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00E41E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00E57E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E55E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00E5AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00E44E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00E77FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E77FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00E75FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00E38FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00E4FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00E46F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00E59F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E6FF70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.8:60242 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.8:53955 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.8:49952 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.8:49720 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.8:52169 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.8:56571 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.8:62896 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.8:60934 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49708 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49708 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: bathdoomgaz.storec
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: licendfilteo.sitec
Source: Malware configuration extractor	URLs: studennotediw.storec
Source: Malware configuration extractor	URLs: dissapoiznw.storec
Source: Malware configuration extractor	URLs: eaglepawnoy.storec
Source: Malware configuration extractor	URLs: spirittunek.storec

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 172.67.206.204 172.67.206.204

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=67d3c020a5ac9a2c1f192620; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 16:26:14 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control\E equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497527481.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497527481.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497527481.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497527481.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=eng
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1497664141.000000000093E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510805596.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site/api
Source: file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1486468820.0000000000987000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497588665.0000000000986000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510942649.0000000000973000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1511007662.0000000000987000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497543262.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.1497436211.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1511007662.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486574827.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1497664141.0000000000953000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510805596.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510942649.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497543262.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486553065.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1486574827.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.8:49708 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40228	0_2_00E40228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7A0D0	0_2_00E7A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E	0_2_0100C17E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E74040	0_2_00E74040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E42030	0_2_00E42030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E31000	0_2_00E31000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E371F0	0_2_00E371F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFD1D4	0_2_00FFD1D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3E1A0	0_2_00E3E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E35160	0_2_00E35160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E312F7	0_2_00E312F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E682D0	0_2_00E682D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E612D0	0_2_00E612D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010023C5	0_2_010023C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF8234	0_2_00FF8234
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E623E0	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E313A3	0_2_00E313A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3B3A0	0_2_00E3B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010072D2	0_2_010072D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3A300	0_2_00E3A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E664F0	0_2_00E664F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44487	0_2_00E44487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4049B	0_2_00E4049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5C470	0_2_00E5C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4C5F0	0_2_00E4C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E335B0	0_2_00E335B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E38590	0_2_00E38590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E786F0	0_2_00E786F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3164F	0_2_00E3164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78652	0_2_00E78652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6F620	0_2_00E6F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F907F3	0_2_00F907F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F378F2	0_2_00F378F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6B8C0	0_2_00E6B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6E8A0	0_2_00E6E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E61860	0_2_00E61860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3A850	0_2_00E3A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FEF9CC	0_2_00FEF9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E789A0	0_2_00E789A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5098B	0_2_00E5098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100A874	0_2_0100A874
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01009876	0_2_01009876
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010008BB	0_2_010008BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010058CD	0_2_010058CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E77AB0	0_2_00E77AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78A80	0_2_00E78A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E74A40	0_2_00E74A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E37BF0	0_2_00E37BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4DB6F	0_2_00E4DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0BB0F	0_2_00F0BB0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF9CFB	0_2_00FF9CFB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5CCD0	0_2_00E5CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E76CBF	0_2_00E76CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF4C1B	0_2_00FF4C1B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78C02	0_2_00E78C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFED99	0_2_00FFED99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E58D62	0_2_00E58D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5DD29	0_2_00E5DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5FD10	0_2_00E5FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3BEB0	0_2_00E3BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E46EBF	0_2_00E46EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78E70	0_2_00E78E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5AE57	0_2_00E5AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44E2A	0_2_00E44E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA4FFA	0_2_00FA4FFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E77FC0	0_2_00E77FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E38FD0	0_2_00E38FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003E5E	0_2_01003E5E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFBF68	0_2_00FFBF68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC5F0A	0_2_00EC5F0A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3AF10	0_2_00E3AF10

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E4D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E3CAA0 appears 48 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9995165532178217
Source: file.exe	Static PE information: Section: zisinevl ZLIB complexity 0.9943861674599577

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E68220 CoCreateInstance,

0_2_00E68220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1864192 > 1048576

Source: file.exe

Static PE information: Raw size of zisinevl is bigger than: 0x100000 < 0x19da00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;zisinevl:EW;oonylekf:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;zisinevl:EW;oonylekf:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1d09d3 should be: 0x1d507b

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: zisinevl
Source: file.exe	Static PE information: section name: oonylekf
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01098126 push 27004CAFh; mov dword ptr [esp], esi	0_2_01098155
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106A131 push ebp; mov dword ptr [esp], esi	0_2_0106A150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010D5159 push eax; mov dword ptr [esp], ecx	0_2_010D5181
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010D5159 push 22414C70h; mov dword ptr [esp], eax	0_2_010D5202
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C816C push ecx; mov dword ptr [esp], edx	0_2_010C8187
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C816C push 414F2B1Ch; mov dword ptr [esp], edx	0_2_010C81AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C816C push eax; mov dword ptr [esp], edi	0_2_010C81BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01072172 push 594188C5h; mov dword ptr [esp], ebp	0_2_010721B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push esi; mov dword ptr [esp], ecx	0_2_0100C1A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ecx; mov dword ptr [esp], ebx	0_2_0100C231
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push esi; mov dword ptr [esp], 7A3774BFh	0_2_0100C2AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], edx	0_2_0100C2FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push eax; mov dword ptr [esp], ebp	0_2_0100C336
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 0C064935h; mov dword ptr [esp], edi	0_2_0100C358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push edx; mov dword ptr [esp], 7BE8C1BAh	0_2_0100C40F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 28456787h; mov dword ptr [esp], ecx	0_2_0100C452
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 397D3F79h; mov dword ptr [esp], esi	0_2_0100C509
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ecx; mov dword ptr [esp], eax	0_2_0100C529
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 65ACBF43h; mov dword ptr [esp], edx	0_2_0100C5D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebx; mov dword ptr [esp], ebp	0_2_0100C5DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], ecx	0_2_0100C714
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 6B586524h; mov dword ptr [esp], edi	0_2_0100C7D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 4B26A5E1h; mov dword ptr [esp], ecx	0_2_0100C87B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], eax	0_2_0100C885
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 3C491B1Eh; mov dword ptr [esp], ebx	0_2_0100C8D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 66F08763h; mov dword ptr [esp], edx	0_2_0100C8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], edx	0_2_0100C8F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], 4F823803h	0_2_0100C8F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 1B6A66AAh; mov dword ptr [esp], edx	0_2_0100C96F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push esi; mov dword ptr [esp], edi	0_2_0100C97E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], 77FD5C59h	0_2_0100CA16

Source: file.exe	Static PE information: section name: entropy: 7.980274519211911
Source: file.exe	Static PE information: section name: zisinevl entropy: 7.952850089954299

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101013B second address: 1010140 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1010279 second address: 1010284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8F60F8A966h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1010284 second address: 10102A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8F60FAA5B6h 0x0000000a jmp 00007F8F60FAA5C8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102A6 second address: 10102B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102B1 second address: 10102BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8F60FAA5B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102BD second address: 10102CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102CC second address: 10102D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102D0 second address: 10102DC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F60F8A966h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102DC second address: 10102E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B9B second address: 1012B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B9F second address: 1012BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BA8 second address: 1012BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop ecx 0x0000000f nop 0x00000010 mov ecx, esi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F8F60F8A968h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e call 00007F8F60F8A969h 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BE8 second address: 1012BF9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BF9 second address: 1012C02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012CA1 second address: 1012D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 add dword ptr [esp], 49BDA8A1h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F8F60FAA5B8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov esi, edi 0x0000002a lea ebx, dword ptr [ebp+12452A8Ch] 0x00000030 sub dword ptr [ebp+122D562Bh], edi 0x00000036 or dword ptr [ebp+122D1928h], edx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F8F60FAA5C6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012ED7 second address: 1012F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007F8F60F8A97Bh 0x00000010 nop 0x00000011 or dword ptr [ebp+122D1CC0h], esi 0x00000017 push eax 0x00000018 mov edi, dword ptr [ebp+122D389Eh] 0x0000001e pop ecx 0x0000001f push 00000000h 0x00000021 mov edi, esi 0x00000023 push 2D0EA356h 0x00000028 jmp 00007F8F60F8A96Eh 0x0000002d xor dword ptr [esp], 2D0EA3D6h 0x00000034 pushad 0x00000035 or edi, dword ptr [ebp+122D37A2h] 0x0000003b add ecx, 23D9C5CAh 0x00000041 popad 0x00000042 push 00000003h 0x00000044 mov ecx, dword ptr [ebp+122D38F6h] 0x0000004a push 00000000h 0x0000004c add dword ptr [ebp+122D562Bh], edi 0x00000052 push 00000003h 0x00000054 jmp 00007F8F60F8A96Dh 0x00000059 push 76B3B921h 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jnl 00007F8F60F8A966h 0x00000067 push eax 0x00000068 pop eax 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030D69 second address: 1030D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030D6E second address: 1030D9A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8F60F8A982h 0x00000008 ja 00007F8F60F8A966h 0x0000000e jmp 00007F8F60F8A976h 0x00000013 jc 00007F8F60F8A96Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030EDD second address: 1030EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030EE5 second address: 1030EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030EED second address: 1030EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F60FAA5BBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030EFF second address: 1030F05 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10312F6 second address: 10312FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10312FA second address: 1031302 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103148E second address: 1031492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1031492 second address: 10314A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A96Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10315D9 second address: 10315E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8F60FAA5B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10315E5 second address: 10315EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1031757 second address: 103175B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1031B7C second address: 1031B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1032772 second address: 103278C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F8F60FAA5BCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1032B83 second address: 1032BA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F8F60F8A978h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1032BA8 second address: 1032BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1038428 second address: 103843D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F60F8A970h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCCCC second address: FFCCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCCD0 second address: FFCCD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCCD4 second address: FFCCDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100399F second address: 10039A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1041B62 second address: 1041B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F8F60FAA5B8h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10419CF second address: 10419D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043270 second address: 1043276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043276 second address: 104327C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104327C second address: 104329F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F60FAA5C6h 0x0000000c jng 00007F8F60FAA5B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104329F second address: 10432B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F8F60F8A966h 0x00000010 jl 00007F8F60F8A966h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104410D second address: 1044111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044111 second address: 1044117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044117 second address: 104411C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104411C second address: 1044122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104415F second address: 1044165 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044165 second address: 104417E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F8F60F8A966h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 je 00007F8F60F8A966h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104417E second address: 104419A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007F8F60FAA5B6h 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push esi 0x00000018 pop esi 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104419A second address: 10441A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8F60F8A966h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10441A4 second address: 10441A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10441A8 second address: 1044218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnc 00007F8F60F8A970h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jnp 00007F8F60F8A982h 0x0000001a pop eax 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F8F60F8A968h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 movsx edi, si 0x00000038 mov esi, dword ptr [ebp+122D1D19h] 0x0000003e push 26BB20ECh 0x00000043 pushad 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448A0 second address: 10448B7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8F60FAA5B8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F8F60FAA5B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448B7 second address: 10448BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448BB second address: 10448C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448C1 second address: 10448CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60F8A96Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448CF second address: 10448D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044F13 second address: 1044F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10450AF second address: 10450B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10450B3 second address: 10450B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045363 second address: 1045367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045367 second address: 1045387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8F60F8A976h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045443 second address: 1045471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F8F60FAA5B6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F8F60FAA5CDh 0x00000017 jmp 00007F8F60FAA5C7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045471 second address: 1045477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045477 second address: 104547B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045522 second address: 1045526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045526 second address: 104552C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104552C second address: 1045573 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F60F8A968h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F8F60F8A968h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 push esi 0x0000002a jne 00007F8F60F8A968h 0x00000030 pop edi 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 pushad 0x00000038 popad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10462E2 second address: 10462E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046C68 second address: 1046C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046C6C second address: 1046C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104800B second address: 104800F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046C72 second address: 1046CAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jnl 00007F8F60FAA5B6h 0x00000013 jmp 00007F8F60FAA5C7h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1049475 second address: 1049494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A96Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d je 00007F8F60F8A966h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10487BE second address: 10487F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F8F60FAA5C2h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1049264 second address: 1049279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1049FD6 second address: 1049FDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104A7AA second address: 104A7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8F60F8A96Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DDBA second address: 104DDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DDBE second address: 104DDC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050C6B second address: 1050C71 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104FCB9 second address: 104FCC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8F60F8A966h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050C71 second address: 1050C88 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8F60FAA5B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F8F60FAA5B6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050C88 second address: 1050C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104FCC3 second address: 104FCC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050E10 second address: 1050E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1053D03 second address: 1053D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1053D07 second address: 1053D12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1055B2A second address: 1055B34 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1055BE8 second address: 1055BED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1056BA4 second address: 1056BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1056BA9 second address: 1056BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1056BB0 second address: 1056C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F8F60FAA5B8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov ebx, edx 0x00000026 push 00000000h 0x00000028 sub bx, 9EDAh 0x0000002d push 00000000h 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 jne 00007F8F60FAA5B8h 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F8F60FAA5C8h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1056C08 second address: 1056C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1055D0D second address: 1055D87 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F8F60FAA5B6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d xor ebx, 56BE8FF2h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov edi, 0EABA25Ah 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 add di, 16D4h 0x0000002b mov eax, dword ptr [ebp+122D15C5h] 0x00000031 or ebx, dword ptr [ebp+1244EF2Fh] 0x00000037 push FFFFFFFFh 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F8F60FAA5B8h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 xor di, A7DAh 0x00000058 push eax 0x00000059 pushad 0x0000005a jmp 00007F8F60FAA5C8h 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105BD0B second address: 105BD1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60F8A970h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1059F28 second address: 1059F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5C0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105BD1F second address: 105BD2A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1059F3D second address: 1059FE2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F60FAA5BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F8F60FAA5C1h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F8F60FAA5B8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b jmp 00007F8F60FAA5C3h 0x00000030 push dword ptr fs:[00000000h] 0x00000037 or dword ptr [ebp+1244DF97h], eax 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov di, 8100h 0x00000048 mov eax, dword ptr [ebp+122D1639h] 0x0000004e movsx edi, cx 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push edx 0x00000056 call 00007F8F60FAA5B8h 0x0000005b pop edx 0x0000005c mov dword ptr [esp+04h], edx 0x00000060 add dword ptr [esp+04h], 00000014h 0x00000068 inc edx 0x00000069 push edx 0x0000006a ret 0x0000006b pop edx 0x0000006c ret 0x0000006d mov ebx, 0812D87Bh 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 pop edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100883E second address: 1008842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1008842 second address: 1008848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105D3D5 second address: 105D3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8F60F8A966h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105C3C4 second address: 105C3CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105E424 second address: 105E48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D3922h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F8F60F8A968h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d and bx, 0800h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F8F60F8A968h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov ebx, ecx 0x00000050 push eax 0x00000051 pushad 0x00000052 jp 00007F8F60F8A968h 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1006E12 second address: 1006E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063CE2 second address: 1063CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063CE6 second address: 1063CF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063CF2 second address: 1063CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067D2C second address: 1067D36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067D36 second address: 1067D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A96Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067D45 second address: 1067D64 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jno 00007F8F60FAA5B6h 0x00000011 jnc 00007F8F60FAA5B6h 0x00000017 pop esi 0x00000018 popad 0x00000019 pushad 0x0000001a push esi 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10674B0 second address: 10674B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10674B5 second address: 10674C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10674C0 second address: 10674C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10674C4 second address: 10674C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10675EC second address: 10675F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10675F0 second address: 1067640 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F8F60FAA5BFh 0x00000012 popad 0x00000013 jnl 00007F8F60FAA5BEh 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007F8F60FAA5C7h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067640 second address: 106764D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F8F60F8A966h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106764D second address: 1067651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106CB62 second address: 106CB84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F8F60F8A96Eh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jp 00007F8F60F8A966h 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071A23 second address: 1071A4B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F60FAA5B6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F8F60FAA5C8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071A4B second address: 1071A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071A4F second address: 1071AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5C0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F8F60FAA5C4h 0x00000015 pushad 0x00000016 popad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a jnp 00007F8F60FAA5CBh 0x00000020 jmp 00007F8F60FAA5C5h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071AA2 second address: 1071AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071AA8 second address: 1071AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071BF3 second address: 1071BFD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F60F8A96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071D84 second address: 1071D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8F60FAA5B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071D90 second address: 1071D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071ED6 second address: 1071F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8F60FAA5BEh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e js 00007F8F60FAA5BCh 0x00000014 jp 00007F8F60FAA5B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F8F60FAA5C7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071F14 second address: 1071F23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071F23 second address: 1071F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F8F60FAA5BDh 0x0000000d jno 00007F8F60FAA5B6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1072217 second address: 1072222 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10723D9 second address: 10723DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10723DF second address: 10723E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1072541 second address: 1072547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1072547 second address: 1072574 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8F60F8A975h 0x0000000d push edi 0x0000000e jmp 00007F8F60F8A96Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1077989 second address: 1077995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F8F60FAA5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1077995 second address: 107799B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107799B second address: 10779A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A3E4 second address: 100A3EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A3EC second address: 100A3F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10766F7 second address: 10766FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10766FF second address: 1076719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BDh 0x00000009 js 00007F8F60FAA5B6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076887 second address: 107688B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076C7F second address: 1076C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076C85 second address: 1076C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8F60F8A966h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076C93 second address: 1076C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10770D2 second address: 1077111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F8F60F8A966h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 je 00007F8F60F8A96Eh 0x00000017 je 00007F8F60F8A972h 0x0000001d push eax 0x0000001e push edx 0x0000001f jp 00007F8F60F8A966h 0x00000025 jns 00007F8F60F8A966h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107725E second address: 107726A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F8F60FAA5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1077693 second address: 1077699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1077699 second address: 10776B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10776B5 second address: 10776EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8F60F8A966h 0x00000009 jmp 00007F8F60F8A974h 0x0000000e jmp 00007F8F60F8A96Dh 0x00000013 je 00007F8F60F8A966h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10776EC second address: 10776FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8F60FAA5B6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10776FA second address: 1077702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D66 second address: FF7D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D6C second address: FF7D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D72 second address: FF7D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D77 second address: FF7D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60F8A975h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D92 second address: FF7D9B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D9B second address: FF7DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104BB48 second address: 104BB5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60FAA5BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104BB5A second address: 102A511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jnl 00007F8F60F8A970h 0x00000011 add dword ptr [ebp+1247D3F0h], edx 0x00000017 lea eax, dword ptr [ebp+1248B8FCh] 0x0000001d add dword ptr [ebp+122D17F0h], edx 0x00000023 push eax 0x00000024 jmp 00007F8F60F8A977h 0x00000029 mov dword ptr [esp], eax 0x0000002c mov di, 4D07h 0x00000030 call dword ptr [ebp+122D34F9h] 0x00000036 pushad 0x00000037 pushad 0x00000038 jmp 00007F8F60F8A974h 0x0000003d push esi 0x0000003e pop esi 0x0000003f js 00007F8F60F8A966h 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 popad 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C045 second address: E93A50 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ecx, dword ptr [ebp+122D37CEh] 0x00000014 push dword ptr [ebp+122D02F1h] 0x0000001a mov dh, 4Ch 0x0000001c call dword ptr [ebp+122D1A68h] 0x00000022 pushad 0x00000023 mov dword ptr [ebp+122D2D00h], eax 0x00000029 xor eax, eax 0x0000002b mov dword ptr [ebp+122D2D00h], edi 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 je 00007F8F60FAA5BCh 0x0000003b mov dword ptr [ebp+122D25CCh], ebx 0x00000041 mov dword ptr [ebp+122D3762h], eax 0x00000047 jmp 00007F8F60FAA5C2h 0x0000004c mov esi, 0000003Ch 0x00000051 pushad 0x00000052 push edi 0x00000053 jnl 00007F8F60FAA5B6h 0x00000059 pop edx 0x0000005a mov edx, dword ptr [ebp+122D392Eh] 0x00000060 popad 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 pushad 0x00000066 mov dl, ch 0x00000068 mov ecx, 22CD75BDh 0x0000006d popad 0x0000006e lodsw 0x00000070 js 00007F8F60FAA5C4h 0x00000076 pushad 0x00000077 jno 00007F8F60FAA5B6h 0x0000007d xor dword ptr [ebp+122D2D00h], ebx 0x00000083 popad 0x00000084 add eax, dword ptr [esp+24h] 0x00000088 jmp 00007F8F60FAA5C3h 0x0000008d or dword ptr [ebp+122D1B1Dh], edx 0x00000093 mov ebx, dword ptr [esp+24h] 0x00000097 clc 0x00000098 sub dword ptr [ebp+122D1B1Dh], ebx 0x0000009e push eax 0x0000009f push eax 0x000000a0 push edx 0x000000a1 jmp 00007F8F60FAA5BBh 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C208 second address: 104C211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C50C second address: 104C510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C655 second address: 104C664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C664 second address: 104C674 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CA63 second address: 104CA75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CA75 second address: 104CA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CA7A second address: 104CA84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8F60F8A966h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CA84 second address: 104CA88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CD84 second address: 104CD89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102B050 second address: 102B0AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C9h 0x00000007 jmp 00007F8F60FAA5C4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F8F60FAA5CAh 0x00000014 jmp 00007F8F60FAA5C2h 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jno 00007F8F60FAA5B6h 0x00000025 push edx 0x00000026 pop edx 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102B0AA second address: 102B0AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107AEC8 second address: 107AEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107AEDB second address: 107AEDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107AEDF second address: 107AEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B062 second address: 107B066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B455 second address: 107B45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B45B second address: 107B460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085977 second address: 108597F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108597F second address: 10859AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A96Ch 0x00000009 jmp 00007F8F60F8A976h 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10859AD second address: 10859D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F8F60FAA5BBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B38 second address: 1085B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B3E second address: 1085B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F8F60FAA5B6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B4B second address: 1085B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8F60F8A96Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B60 second address: 1085B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F8F60FAA5B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B6E second address: 1085B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085D08 second address: 1085D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085FBC second address: 1085FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8F60F8A966h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108611D second address: 1086141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jng 00007F8F60FAA5CDh 0x0000000d jne 00007F8F60FAA5B6h 0x00000013 jmp 00007F8F60FAA5C1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10862D7 second address: 10862DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10862DD second address: 10862E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10862E1 second address: 10862E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10862E5 second address: 1086305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d js 00007F8F60FAA5CEh 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F8F60FAA5B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086305 second address: 1086309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086309 second address: 108630F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086854 second address: 108685A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108685A second address: 1086879 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F60FAA5B6h 0x00000008 jmp 00007F8F60FAA5C1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086879 second address: 108687D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10869DC second address: 1086A03 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F60FAA5CEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F8F60FAA5C6h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086A03 second address: 1086A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086E17 second address: 1086E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8F60FAA5C4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086E31 second address: 1086E57 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F8F60F8A966h 0x00000009 jns 00007F8F60F8A966h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8F60F8A974h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086E57 second address: 1086E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086E5B second address: 1086E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F8F60F8A982h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A605 second address: 108A62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5C8h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F8F60FAA5B6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A62C second address: 108A63A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A96Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A63A second address: 108A64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60FAA5BBh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108CBE7 second address: 108CBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108CE81 second address: 108CE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108CE85 second address: 108CE92 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108F26F second address: 108F283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109437B second address: 109437F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109437F second address: 1094383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10947DE second address: 10947E8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8F60F8A96Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C849 second address: 104C8E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jo 00007F8F60FAA5BCh 0x00000012 mov ecx, dword ptr [ebp+122D19CDh] 0x00000018 mov ebx, dword ptr [ebp+1248B93Bh] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F8F60FAA5B8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov dword ptr [ebp+1244DF97h], eax 0x0000003e add eax, ebx 0x00000040 mov dword ptr [ebp+124823EEh], edi 0x00000046 mov edx, dword ptr [ebp+122D370Eh] 0x0000004c push eax 0x0000004d jmp 00007F8F60FAA5C9h 0x00000052 mov dword ptr [esp], eax 0x00000055 jmp 00007F8F60FAA5BCh 0x0000005a mov ecx, dword ptr [ebp+122D38CAh] 0x00000060 push 00000004h 0x00000062 push eax 0x00000063 pushad 0x00000064 je 00007F8F60FAA5BCh 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C8E8 second address: 104C8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C8F0 second address: 104C8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1094A5B second address: 1094A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10982F5 second address: 10982FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097AA2 second address: 1097AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1098080 second address: 1098086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE35 second address: 109BE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F60F8A970h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE4A second address: 109BE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE50 second address: 109BE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F60F8A977h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE70 second address: 109BE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE74 second address: 109BEBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A978h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnp 00007F8F60F8A972h 0x00000014 ja 00007F8F60F8A966h 0x0000001a jc 00007F8F60F8A966h 0x00000020 jmp 00007F8F60F8A96Dh 0x00000025 push ecx 0x00000026 push edx 0x00000027 pop edx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BEBC second address: 109BEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFB2F4 second address: FFB301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B187 second address: 109B18F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B18F second address: 109B199 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B199 second address: 109B19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B315 second address: 109B348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F8F60F8A96Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d jns 00007F8F60F8A966h 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F8F60F8A966h 0x0000001b jmp 00007F8F60F8A978h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B492 second address: 109B496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B5C1 second address: 109B5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F8F60F8A966h 0x0000000d jmp 00007F8F60F8A96Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4488 second address: 10A44A0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8F60FAA5B6h 0x00000008 jo 00007F8F60FAA5B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 jg 00007F8F60FAA5B6h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF6214 second address: FF6266 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8F60F8A96Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jmp 00007F8F60F8A975h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F8F60F8A96Ch 0x0000001a popad 0x0000001b push ebx 0x0000001c jno 00007F8F60F8A966h 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 jng 00007F8F60F8A966h 0x0000002d jnc 00007F8F60F8A966h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF6266 second address: FF626A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A2587 second address: 10A25BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8F60F8A977h 0x00000008 pop ecx 0x00000009 jmp 00007F8F60F8A977h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A30FE second address: 10A3103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A3103 second address: 10A312B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8F60F8A966h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 js 00007F8F60F8A966h 0x00000018 jns 00007F8F60F8A966h 0x0000001e popad 0x0000001f pushad 0x00000020 ja 00007F8F60F8A966h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A312B second address: 10A313E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A313E second address: 10A3143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A3143 second address: 10A3156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60FAA5BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A3C1B second address: 10A3C37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A978h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4170 second address: 10A4178 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4178 second address: 10A418B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F8F60F8A966h 0x00000009 jnl 00007F8F60F8A966h 0x0000000f pop esi 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A418B second address: 10A4191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A9EBA second address: 10A9ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F8F60F8A96Ah 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A9ED6 second address: 10A9EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F8F60FAA5B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ADAD9 second address: 10ADADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ADADD second address: 10ADAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ADAF2 second address: 10ADB10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A970h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8F60F8A96Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACE52 second address: 10ACE8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F8F60FAA5C9h 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACE8B second address: 10ACE99 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F8F60F8A966h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACE99 second address: 10ACE9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACFDB second address: 10ACFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACFE0 second address: 10AD00A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F8F60FAA5C2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AD1E8 second address: 10AD202 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F60F8A966h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F8F60F8A96Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AD369 second address: 10AD36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AD36D second address: 10AD38C instructions: 0x00000000 rdtsc 0x00000002 js 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8F60F8A972h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AD4F3 second address: 10AD4F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B6D72 second address: 10B6D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BD5D3 second address: 10BD5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BD5D7 second address: 10BD5E1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C80F5 second address: 10C80F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBAFF second address: 10CBB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8F60F8A966h 0x0000000a jmp 00007F8F60F8A96Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F8F60F8A966h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBB1E second address: 10CBB24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBB24 second address: 10CBB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBB39 second address: 10CBB45 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F8F60FAA5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9856 second address: FF9873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8F60F8A974h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9873 second address: FF9879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9879 second address: FF987D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF987D second address: FF9881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB9A4 second address: 10CB9BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A96Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jnp 00007F8F60F8A966h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DF13D second address: 10DF147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8F60FAA5B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DF147 second address: 10DF156 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jp 00007F8F60F8A966h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DF156 second address: 10DF165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DF165 second address: 10DF169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E914D second address: 10E9151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E9151 second address: 10E9155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7D1E second address: 10E7D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7E82 second address: 10E7E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F8F60F8A966h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7E91 second address: 10E7E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8130 second address: 10E8141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8F60F8A96Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8141 second address: 10E8165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F8F60FAA5B6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF684 second address: 10EF688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF688 second address: 10EF68C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF68C second address: 10EF698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF698 second address: 10EF6A2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF24D second address: 10EF258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8F60F8A966h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF258 second address: 10EF25D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF25D second address: 10EF279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8F60F8A966h 0x0000000a pop esi 0x0000000b pushad 0x0000000c jnp 00007F8F60F8A966h 0x00000012 jbe 00007F8F60F8A966h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF39C second address: 10EF3B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BCh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF3B2 second address: 10EF3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A978h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8F60F8A970h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF3E2 second address: 10EF3EF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F60FAA5B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0CBD second address: 10F0CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB6B4 second address: 10FB6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB6BA second address: 10FB6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8F60F8A96Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F8F60F8A966h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB6D9 second address: 10FB6E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1102AA5 second address: 1102AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F680 second address: 110F684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F684 second address: 110F68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F68A second address: 110F692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F692 second address: 110F69F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F7D8 second address: 110F7DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1128366 second address: 112837D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A973h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11271BA second address: 11271DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8F60FAA5C3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11271DA second address: 11271E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127370 second address: 1127376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127376 second address: 1127390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8F60F8A96Bh 0x0000000e jnc 00007F8F60F8A966h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127390 second address: 11273A4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8F60FAA5B6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F8F60FAA5BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11277B0 second address: 11277C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F60F8A96Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127A89 second address: 1127AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F8F60FAA5C2h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jnp 00007F8F60FAA5B6h 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8F60FAA5C8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127AC4 second address: 1127AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127D4A second address: 1127D5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127D5C second address: 1127D79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F60F8A978h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127EC5 second address: 1127F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jnp 00007F8F60FAA5B8h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push esi 0x00000015 pop esi 0x00000016 push edx 0x00000017 pop edx 0x00000018 jmp 00007F8F60FAA5BBh 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F8F60FAA5C4h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127F04 second address: 1127F08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127F08 second address: 1127F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112805A second address: 112806B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112806B second address: 112806F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112806F second address: 1128079 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1128079 second address: 112808C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F60FAA5BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129A6D second address: 1129A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F8F60F8A966h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129A7C second address: 1129A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C565 second address: 112C5A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+122D1847h], eax 0x00000011 push 00000004h 0x00000013 jmp 00007F8F60F8A96Dh 0x00000018 stc 0x00000019 call 00007F8F60F8A969h 0x0000001e push eax 0x0000001f push edx 0x00000020 jne 00007F8F60F8A977h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C5A8 second address: 112C608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8F60FAA5C0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F8F60FAA5C7h 0x00000014 jng 00007F8F60FAA5C7h 0x0000001a jmp 00007F8F60FAA5C1h 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F8F60FAA5C1h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C608 second address: 112C63D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A974h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8F60F8A978h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C807 second address: 112C80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C80C second address: 112C8F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A972h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F8F60F8A976h 0x00000010 jnc 00007F8F60F8A968h 0x00000016 popad 0x00000017 nop 0x00000018 call 00007F8F60F8A977h 0x0000001d add dh, 00000073h 0x00000020 pop edx 0x00000021 push dword ptr [ebp+122D2089h] 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007F8F60F8A968h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 sub dword ptr [ebp+122D1A14h], ebx 0x00000047 call 00007F8F60F8A969h 0x0000004c jnc 00007F8F60F8A97Fh 0x00000052 push eax 0x00000053 jmp 00007F8F60F8A975h 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c jg 00007F8F60F8A973h 0x00000062 mov eax, dword ptr [eax] 0x00000064 je 00007F8F60F8A974h 0x0000006a push eax 0x0000006b push edx 0x0000006c jp 00007F8F60F8A966h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C8F3 second address: 112C914 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push edi 0x0000000c jmp 00007F8F60FAA5C0h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30B4F second address: 4C30B79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8F60F8A96Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30B79 second address: 4C30B7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30B7E second address: 4C30C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b pushad 0x0000000c mov ecx, ebx 0x0000000e jmp 00007F8F60F8A96Bh 0x00000013 popad 0x00000014 jns 00007F8F60F8A9D9h 0x0000001a jmp 00007F8F60F8A976h 0x0000001f add eax, ecx 0x00000021 pushad 0x00000022 call 00007F8F60F8A96Eh 0x00000027 pushfd 0x00000028 jmp 00007F8F60F8A972h 0x0000002d and cx, ED08h 0x00000032 jmp 00007F8F60F8A96Bh 0x00000037 popfd 0x00000038 pop eax 0x00000039 pushfd 0x0000003a jmp 00007F8F60F8A979h 0x0000003f jmp 00007F8F60F8A96Bh 0x00000044 popfd 0x00000045 popad 0x00000046 mov eax, dword ptr [eax+00000860h] 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F8F60F8A975h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C2E second address: 4C30C4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C4B second address: 4C30C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C4F second address: 4C30C62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C62 second address: 4C30C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C68 second address: 4C30C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C6C second address: 4C30C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F8FD2F60A51h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8F60F8A96Ah 0x00000015 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E93A9B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 10384EB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1036AC3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1063D3D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E939D0 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 5056

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1511187178.0000000001018000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1510744552.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: file.exe, 00000000.00000003.1497664141.0000000000953000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510805596.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1511187178.0000000001018000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E75BB0 LdrInitializeThunk,

0_2_00E75BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.1511187178.0000000001018000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: XProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
172.67.206.204	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true
sergei-esenin.com	172.67.206.204	true
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.22	true
eaglepawnoy.store	unknown	unknown
bathdoomgaz.store	unknown	unknown
spirittunek.store	unknown	unknown
licendfilteo.site	unknown	unknown
studennotediw.store	unknown	unknown
mobbipenju.store	unknown	unknown
clearancek.site	unknown	unknown
dissapoiznw.store	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dissapoiznw.storec	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
eaglepawnoy.storec	true		unknown
spirittunek.storec	true		unknown
studennotediw.storec	true		unknown
licendfilteo.sitec	true		unknown
clearancek.site	true		unknown
bathdoomgaz.storec	true		unknown
mobbipenju.store	true		unknown
https://sergei-esenin.com/api	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.5084.0.memstrmin

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1511149673.0000000000E31000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.8:49708 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E3D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E3D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00E763B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E75700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00E799D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00E7695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00E3FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00E40EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00E76094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00E74040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00E46F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00E6F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00E31000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00E5D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00E442FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00E52260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00E52260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00E3A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00E764B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00E5C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00E71440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00E4D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00E5E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00E4B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00E38590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00E77520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00E46536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00E59510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00E5E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00E6B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00E767EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00E5D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00E77710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00E528E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00E349A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00E4D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00E73920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00E41ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00E74A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00E35A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00E41A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00E43BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00E41BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00E60B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00E79B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00E4DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00E4DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E79CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00E79CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00E5CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E5CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00E5CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00E5AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00E5AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00E5EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00E6FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00E57C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E78D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00E5DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00E5FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00E36EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00E3BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00E46EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00E41E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00E57E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E55E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00E5AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00E44E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00E77FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E77FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00E75FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00E38FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00E4FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00E46F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00E59F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E6FF70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.8:60242 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.8:53955 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.8:49952 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.8:49720 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.8:52169 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.8:56571 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.8:62896 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.8:60934 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49708 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49708 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: bathdoomgaz.storec
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: licendfilteo.sitec
Source: Malware configuration extractor	URLs: studennotediw.storec
Source: Malware configuration extractor	URLs: dissapoiznw.storec
Source: Malware configuration extractor	URLs: eaglepawnoy.storec
Source: Malware configuration extractor	URLs: spirittunek.storec

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 172.67.206.204 172.67.206.204

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=67d3c020a5ac9a2c1f192620; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 16:26:14 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control\E equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497527481.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497527481.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497527481.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497527481.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=eng
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1497664141.000000000093E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510805596.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site/api
Source: file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1486468820.0000000000987000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497588665.0000000000986000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510942649.0000000000973000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1511007662.0000000000987000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497543262.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.1497436211.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1511007662.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486574827.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1497664141.0000000000953000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510805596.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510942649.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497543262.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486553065.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.1510805596.0000000000935000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497664141.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1486574827.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486529765.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1486451063.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1497436211.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1486468820.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497631958.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1486468820.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.8:49708 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40228	0_2_00E40228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7A0D0	0_2_00E7A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E	0_2_0100C17E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E74040	0_2_00E74040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E42030	0_2_00E42030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E31000	0_2_00E31000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E371F0	0_2_00E371F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFD1D4	0_2_00FFD1D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3E1A0	0_2_00E3E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E35160	0_2_00E35160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E312F7	0_2_00E312F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E682D0	0_2_00E682D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E612D0	0_2_00E612D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010023C5	0_2_010023C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF8234	0_2_00FF8234
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E623E0	0_2_00E623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E313A3	0_2_00E313A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3B3A0	0_2_00E3B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010072D2	0_2_010072D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3A300	0_2_00E3A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E664F0	0_2_00E664F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44487	0_2_00E44487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4049B	0_2_00E4049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5C470	0_2_00E5C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4C5F0	0_2_00E4C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E335B0	0_2_00E335B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E38590	0_2_00E38590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E786F0	0_2_00E786F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3164F	0_2_00E3164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78652	0_2_00E78652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6F620	0_2_00E6F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F907F3	0_2_00F907F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F378F2	0_2_00F378F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6B8C0	0_2_00E6B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6E8A0	0_2_00E6E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E61860	0_2_00E61860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3A850	0_2_00E3A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FEF9CC	0_2_00FEF9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E789A0	0_2_00E789A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5098B	0_2_00E5098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100A874	0_2_0100A874
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01009876	0_2_01009876
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010008BB	0_2_010008BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010058CD	0_2_010058CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E77AB0	0_2_00E77AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78A80	0_2_00E78A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E74A40	0_2_00E74A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E37BF0	0_2_00E37BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4DB6F	0_2_00E4DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0BB0F	0_2_00F0BB0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF9CFB	0_2_00FF9CFB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5CCD0	0_2_00E5CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E76CBF	0_2_00E76CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF4C1B	0_2_00FF4C1B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78C02	0_2_00E78C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFED99	0_2_00FFED99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E58D62	0_2_00E58D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5DD29	0_2_00E5DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5FD10	0_2_00E5FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3BEB0	0_2_00E3BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E46EBF	0_2_00E46EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78E70	0_2_00E78E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5AE57	0_2_00E5AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44E2A	0_2_00E44E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA4FFA	0_2_00FA4FFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E77FC0	0_2_00E77FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E38FD0	0_2_00E38FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003E5E	0_2_01003E5E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFBF68	0_2_00FFBF68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC5F0A	0_2_00EC5F0A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3AF10	0_2_00E3AF10

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E4D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E3CAA0 appears 48 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9995165532178217
Source: file.exe	Static PE information: Section: zisinevl ZLIB complexity 0.9943861674599577

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E68220 CoCreateInstance,

0_2_00E68220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1864192 > 1048576

Source: file.exe

Static PE information: Raw size of zisinevl is bigger than: 0x100000 < 0x19da00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;zisinevl:EW;oonylekf:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;zisinevl:EW;oonylekf:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1d09d3 should be: 0x1d507b

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: zisinevl
Source: file.exe	Static PE information: section name: oonylekf
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01098126 push 27004CAFh; mov dword ptr [esp], esi	0_2_01098155
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106A131 push ebp; mov dword ptr [esp], esi	0_2_0106A150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010D5159 push eax; mov dword ptr [esp], ecx	0_2_010D5181
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010D5159 push 22414C70h; mov dword ptr [esp], eax	0_2_010D5202
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C816C push ecx; mov dword ptr [esp], edx	0_2_010C8187
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C816C push 414F2B1Ch; mov dword ptr [esp], edx	0_2_010C81AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C816C push eax; mov dword ptr [esp], edi	0_2_010C81BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01072172 push 594188C5h; mov dword ptr [esp], ebp	0_2_010721B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push esi; mov dword ptr [esp], ecx	0_2_0100C1A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ecx; mov dword ptr [esp], ebx	0_2_0100C231
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push esi; mov dword ptr [esp], 7A3774BFh	0_2_0100C2AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], edx	0_2_0100C2FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push eax; mov dword ptr [esp], ebp	0_2_0100C336
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 0C064935h; mov dword ptr [esp], edi	0_2_0100C358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push edx; mov dword ptr [esp], 7BE8C1BAh	0_2_0100C40F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 28456787h; mov dword ptr [esp], ecx	0_2_0100C452
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 397D3F79h; mov dword ptr [esp], esi	0_2_0100C509
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ecx; mov dword ptr [esp], eax	0_2_0100C529
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 65ACBF43h; mov dword ptr [esp], edx	0_2_0100C5D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebx; mov dword ptr [esp], ebp	0_2_0100C5DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], ecx	0_2_0100C714
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 6B586524h; mov dword ptr [esp], edi	0_2_0100C7D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 4B26A5E1h; mov dword ptr [esp], ecx	0_2_0100C87B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], eax	0_2_0100C885
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 3C491B1Eh; mov dword ptr [esp], ebx	0_2_0100C8D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 66F08763h; mov dword ptr [esp], edx	0_2_0100C8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], edx	0_2_0100C8F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], 4F823803h	0_2_0100C8F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push 1B6A66AAh; mov dword ptr [esp], edx	0_2_0100C96F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push esi; mov dword ptr [esp], edi	0_2_0100C97E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C17E push ebp; mov dword ptr [esp], 77FD5C59h	0_2_0100CA16

Source: file.exe	Static PE information: section name: entropy: 7.980274519211911
Source: file.exe	Static PE information: section name: zisinevl entropy: 7.952850089954299

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101013B second address: 1010140 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1010279 second address: 1010284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8F60F8A966h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1010284 second address: 10102A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8F60FAA5B6h 0x0000000a jmp 00007F8F60FAA5C8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102A6 second address: 10102B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102B1 second address: 10102BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8F60FAA5B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102BD second address: 10102CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102CC second address: 10102D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102D0 second address: 10102DC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F60F8A966h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10102DC second address: 10102E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B9B second address: 1012B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B9F second address: 1012BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BA8 second address: 1012BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop ecx 0x0000000f nop 0x00000010 mov ecx, esi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F8F60F8A968h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e call 00007F8F60F8A969h 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BE8 second address: 1012BF9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BF9 second address: 1012C02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012CA1 second address: 1012D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 add dword ptr [esp], 49BDA8A1h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F8F60FAA5B8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov esi, edi 0x0000002a lea ebx, dword ptr [ebp+12452A8Ch] 0x00000030 sub dword ptr [ebp+122D562Bh], edi 0x00000036 or dword ptr [ebp+122D1928h], edx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F8F60FAA5C6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012ED7 second address: 1012F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007F8F60F8A97Bh 0x00000010 nop 0x00000011 or dword ptr [ebp+122D1CC0h], esi 0x00000017 push eax 0x00000018 mov edi, dword ptr [ebp+122D389Eh] 0x0000001e pop ecx 0x0000001f push 00000000h 0x00000021 mov edi, esi 0x00000023 push 2D0EA356h 0x00000028 jmp 00007F8F60F8A96Eh 0x0000002d xor dword ptr [esp], 2D0EA3D6h 0x00000034 pushad 0x00000035 or edi, dword ptr [ebp+122D37A2h] 0x0000003b add ecx, 23D9C5CAh 0x00000041 popad 0x00000042 push 00000003h 0x00000044 mov ecx, dword ptr [ebp+122D38F6h] 0x0000004a push 00000000h 0x0000004c add dword ptr [ebp+122D562Bh], edi 0x00000052 push 00000003h 0x00000054 jmp 00007F8F60F8A96Dh 0x00000059 push 76B3B921h 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jnl 00007F8F60F8A966h 0x00000067 push eax 0x00000068 pop eax 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030D69 second address: 1030D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030D6E second address: 1030D9A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8F60F8A982h 0x00000008 ja 00007F8F60F8A966h 0x0000000e jmp 00007F8F60F8A976h 0x00000013 jc 00007F8F60F8A96Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030EDD second address: 1030EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030EE5 second address: 1030EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030EED second address: 1030EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F60FAA5BBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030EFF second address: 1030F05 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10312F6 second address: 10312FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10312FA second address: 1031302 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103148E second address: 1031492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1031492 second address: 10314A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A96Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10315D9 second address: 10315E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8F60FAA5B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10315E5 second address: 10315EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1031757 second address: 103175B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1031B7C second address: 1031B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1032772 second address: 103278C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F8F60FAA5BCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1032B83 second address: 1032BA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F8F60F8A978h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1032BA8 second address: 1032BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1038428 second address: 103843D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F60F8A970h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCCCC second address: FFCCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCCD0 second address: FFCCD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCCD4 second address: FFCCDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100399F second address: 10039A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1041B62 second address: 1041B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F8F60FAA5B8h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10419CF second address: 10419D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043270 second address: 1043276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043276 second address: 104327C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104327C second address: 104329F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F60FAA5C6h 0x0000000c jng 00007F8F60FAA5B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104329F second address: 10432B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F8F60F8A966h 0x00000010 jl 00007F8F60F8A966h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104410D second address: 1044111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044111 second address: 1044117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044117 second address: 104411C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104411C second address: 1044122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104415F second address: 1044165 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044165 second address: 104417E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F8F60F8A966h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 je 00007F8F60F8A966h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104417E second address: 104419A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007F8F60FAA5B6h 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push esi 0x00000018 pop esi 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104419A second address: 10441A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8F60F8A966h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10441A4 second address: 10441A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10441A8 second address: 1044218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnc 00007F8F60F8A970h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jnp 00007F8F60F8A982h 0x0000001a pop eax 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F8F60F8A968h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 movsx edi, si 0x00000038 mov esi, dword ptr [ebp+122D1D19h] 0x0000003e push 26BB20ECh 0x00000043 pushad 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448A0 second address: 10448B7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8F60FAA5B8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F8F60FAA5B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448B7 second address: 10448BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448BB second address: 10448C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448C1 second address: 10448CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60F8A96Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10448CF second address: 10448D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044F13 second address: 1044F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10450AF second address: 10450B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10450B3 second address: 10450B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045363 second address: 1045367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045367 second address: 1045387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8F60F8A976h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045443 second address: 1045471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F8F60FAA5B6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F8F60FAA5CDh 0x00000017 jmp 00007F8F60FAA5C7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045471 second address: 1045477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045477 second address: 104547B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045522 second address: 1045526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045526 second address: 104552C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104552C second address: 1045573 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F60F8A968h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F8F60F8A968h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 push esi 0x0000002a jne 00007F8F60F8A968h 0x00000030 pop edi 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 pushad 0x00000038 popad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10462E2 second address: 10462E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046C68 second address: 1046C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046C6C second address: 1046C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104800B second address: 104800F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046C72 second address: 1046CAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jnl 00007F8F60FAA5B6h 0x00000013 jmp 00007F8F60FAA5C7h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1049475 second address: 1049494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A96Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d je 00007F8F60F8A966h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10487BE second address: 10487F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F8F60FAA5C2h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1049264 second address: 1049279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1049FD6 second address: 1049FDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104A7AA second address: 104A7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8F60F8A96Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DDBA second address: 104DDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DDBE second address: 104DDC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050C6B second address: 1050C71 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104FCB9 second address: 104FCC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8F60F8A966h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050C71 second address: 1050C88 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8F60FAA5B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F8F60FAA5B6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050C88 second address: 1050C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104FCC3 second address: 104FCC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050E10 second address: 1050E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1053D03 second address: 1053D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1053D07 second address: 1053D12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1055B2A second address: 1055B34 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1055BE8 second address: 1055BED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1056BA4 second address: 1056BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1056BA9 second address: 1056BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1056BB0 second address: 1056C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F8F60FAA5B8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov ebx, edx 0x00000026 push 00000000h 0x00000028 sub bx, 9EDAh 0x0000002d push 00000000h 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 jne 00007F8F60FAA5B8h 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F8F60FAA5C8h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1056C08 second address: 1056C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1055D0D second address: 1055D87 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F8F60FAA5B6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d xor ebx, 56BE8FF2h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov edi, 0EABA25Ah 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 add di, 16D4h 0x0000002b mov eax, dword ptr [ebp+122D15C5h] 0x00000031 or ebx, dword ptr [ebp+1244EF2Fh] 0x00000037 push FFFFFFFFh 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F8F60FAA5B8h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 xor di, A7DAh 0x00000058 push eax 0x00000059 pushad 0x0000005a jmp 00007F8F60FAA5C8h 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105BD0B second address: 105BD1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60F8A970h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1059F28 second address: 1059F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5C0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105BD1F second address: 105BD2A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1059F3D second address: 1059FE2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F60FAA5BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F8F60FAA5C1h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F8F60FAA5B8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b jmp 00007F8F60FAA5C3h 0x00000030 push dword ptr fs:[00000000h] 0x00000037 or dword ptr [ebp+1244DF97h], eax 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov di, 8100h 0x00000048 mov eax, dword ptr [ebp+122D1639h] 0x0000004e movsx edi, cx 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push edx 0x00000056 call 00007F8F60FAA5B8h 0x0000005b pop edx 0x0000005c mov dword ptr [esp+04h], edx 0x00000060 add dword ptr [esp+04h], 00000014h 0x00000068 inc edx 0x00000069 push edx 0x0000006a ret 0x0000006b pop edx 0x0000006c ret 0x0000006d mov ebx, 0812D87Bh 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 pop edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100883E second address: 1008842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1008842 second address: 1008848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105D3D5 second address: 105D3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8F60F8A966h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105C3C4 second address: 105C3CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105E424 second address: 105E48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D3922h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F8F60F8A968h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d and bx, 0800h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F8F60F8A968h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov ebx, ecx 0x00000050 push eax 0x00000051 pushad 0x00000052 jp 00007F8F60F8A968h 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1006E12 second address: 1006E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063CE2 second address: 1063CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063CE6 second address: 1063CF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063CF2 second address: 1063CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067D2C second address: 1067D36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067D36 second address: 1067D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A96Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067D45 second address: 1067D64 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jno 00007F8F60FAA5B6h 0x00000011 jnc 00007F8F60FAA5B6h 0x00000017 pop esi 0x00000018 popad 0x00000019 pushad 0x0000001a push esi 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10674B0 second address: 10674B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10674B5 second address: 10674C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10674C0 second address: 10674C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10674C4 second address: 10674C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10675EC second address: 10675F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10675F0 second address: 1067640 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F8F60FAA5BFh 0x00000012 popad 0x00000013 jnl 00007F8F60FAA5BEh 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007F8F60FAA5C7h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067640 second address: 106764D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F8F60F8A966h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106764D second address: 1067651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106CB62 second address: 106CB84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F8F60F8A96Eh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jp 00007F8F60F8A966h 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071A23 second address: 1071A4B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F60FAA5B6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F8F60FAA5C8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071A4B second address: 1071A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071A4F second address: 1071AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5C0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F8F60FAA5C4h 0x00000015 pushad 0x00000016 popad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a jnp 00007F8F60FAA5CBh 0x00000020 jmp 00007F8F60FAA5C5h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071AA2 second address: 1071AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071AA8 second address: 1071AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071BF3 second address: 1071BFD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F60F8A96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071D84 second address: 1071D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8F60FAA5B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071D90 second address: 1071D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071ED6 second address: 1071F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8F60FAA5BEh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e js 00007F8F60FAA5BCh 0x00000014 jp 00007F8F60FAA5B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F8F60FAA5C7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071F14 second address: 1071F23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071F23 second address: 1071F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F8F60FAA5BDh 0x0000000d jno 00007F8F60FAA5B6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1072217 second address: 1072222 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10723D9 second address: 10723DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10723DF second address: 10723E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1072541 second address: 1072547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1072547 second address: 1072574 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8F60F8A975h 0x0000000d push edi 0x0000000e jmp 00007F8F60F8A96Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1077989 second address: 1077995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F8F60FAA5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1077995 second address: 107799B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107799B second address: 10779A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A3E4 second address: 100A3EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A3EC second address: 100A3F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10766F7 second address: 10766FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10766FF second address: 1076719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BDh 0x00000009 js 00007F8F60FAA5B6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076887 second address: 107688B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076C7F second address: 1076C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076C85 second address: 1076C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8F60F8A966h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076C93 second address: 1076C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10770D2 second address: 1077111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F8F60F8A966h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 je 00007F8F60F8A96Eh 0x00000017 je 00007F8F60F8A972h 0x0000001d push eax 0x0000001e push edx 0x0000001f jp 00007F8F60F8A966h 0x00000025 jns 00007F8F60F8A966h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107725E second address: 107726A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F8F60FAA5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1077693 second address: 1077699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1077699 second address: 10776B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10776B5 second address: 10776EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8F60F8A966h 0x00000009 jmp 00007F8F60F8A974h 0x0000000e jmp 00007F8F60F8A96Dh 0x00000013 je 00007F8F60F8A966h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10776EC second address: 10776FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8F60FAA5B6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10776FA second address: 1077702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D66 second address: FF7D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D6C second address: FF7D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D72 second address: FF7D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D77 second address: FF7D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60F8A975h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D92 second address: FF7D9B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7D9B second address: FF7DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104BB48 second address: 104BB5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60FAA5BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104BB5A second address: 102A511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jnl 00007F8F60F8A970h 0x00000011 add dword ptr [ebp+1247D3F0h], edx 0x00000017 lea eax, dword ptr [ebp+1248B8FCh] 0x0000001d add dword ptr [ebp+122D17F0h], edx 0x00000023 push eax 0x00000024 jmp 00007F8F60F8A977h 0x00000029 mov dword ptr [esp], eax 0x0000002c mov di, 4D07h 0x00000030 call dword ptr [ebp+122D34F9h] 0x00000036 pushad 0x00000037 pushad 0x00000038 jmp 00007F8F60F8A974h 0x0000003d push esi 0x0000003e pop esi 0x0000003f js 00007F8F60F8A966h 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 popad 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C045 second address: E93A50 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ecx, dword ptr [ebp+122D37CEh] 0x00000014 push dword ptr [ebp+122D02F1h] 0x0000001a mov dh, 4Ch 0x0000001c call dword ptr [ebp+122D1A68h] 0x00000022 pushad 0x00000023 mov dword ptr [ebp+122D2D00h], eax 0x00000029 xor eax, eax 0x0000002b mov dword ptr [ebp+122D2D00h], edi 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 je 00007F8F60FAA5BCh 0x0000003b mov dword ptr [ebp+122D25CCh], ebx 0x00000041 mov dword ptr [ebp+122D3762h], eax 0x00000047 jmp 00007F8F60FAA5C2h 0x0000004c mov esi, 0000003Ch 0x00000051 pushad 0x00000052 push edi 0x00000053 jnl 00007F8F60FAA5B6h 0x00000059 pop edx 0x0000005a mov edx, dword ptr [ebp+122D392Eh] 0x00000060 popad 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 pushad 0x00000066 mov dl, ch 0x00000068 mov ecx, 22CD75BDh 0x0000006d popad 0x0000006e lodsw 0x00000070 js 00007F8F60FAA5C4h 0x00000076 pushad 0x00000077 jno 00007F8F60FAA5B6h 0x0000007d xor dword ptr [ebp+122D2D00h], ebx 0x00000083 popad 0x00000084 add eax, dword ptr [esp+24h] 0x00000088 jmp 00007F8F60FAA5C3h 0x0000008d or dword ptr [ebp+122D1B1Dh], edx 0x00000093 mov ebx, dword ptr [esp+24h] 0x00000097 clc 0x00000098 sub dword ptr [ebp+122D1B1Dh], ebx 0x0000009e push eax 0x0000009f push eax 0x000000a0 push edx 0x000000a1 jmp 00007F8F60FAA5BBh 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C208 second address: 104C211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C50C second address: 104C510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C655 second address: 104C664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C664 second address: 104C674 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CA63 second address: 104CA75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CA75 second address: 104CA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CA7A second address: 104CA84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8F60F8A966h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CA84 second address: 104CA88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CD84 second address: 104CD89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102B050 second address: 102B0AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C9h 0x00000007 jmp 00007F8F60FAA5C4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F8F60FAA5CAh 0x00000014 jmp 00007F8F60FAA5C2h 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jno 00007F8F60FAA5B6h 0x00000025 push edx 0x00000026 pop edx 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102B0AA second address: 102B0AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107AEC8 second address: 107AEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107AEDB second address: 107AEDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107AEDF second address: 107AEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B062 second address: 107B066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B455 second address: 107B45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B45B second address: 107B460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085977 second address: 108597F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108597F second address: 10859AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A96Ch 0x00000009 jmp 00007F8F60F8A976h 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10859AD second address: 10859D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F8F60FAA5BBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B38 second address: 1085B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B3E second address: 1085B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F8F60FAA5B6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B4B second address: 1085B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8F60F8A96Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B60 second address: 1085B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F8F60FAA5B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B6E second address: 1085B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085D08 second address: 1085D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085FBC second address: 1085FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8F60F8A966h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108611D second address: 1086141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jng 00007F8F60FAA5CDh 0x0000000d jne 00007F8F60FAA5B6h 0x00000013 jmp 00007F8F60FAA5C1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10862D7 second address: 10862DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10862DD second address: 10862E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10862E1 second address: 10862E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10862E5 second address: 1086305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d js 00007F8F60FAA5CEh 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F8F60FAA5B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086305 second address: 1086309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086309 second address: 108630F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086854 second address: 108685A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108685A second address: 1086879 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F60FAA5B6h 0x00000008 jmp 00007F8F60FAA5C1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086879 second address: 108687D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10869DC second address: 1086A03 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F60FAA5CEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F8F60FAA5C6h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086A03 second address: 1086A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086E17 second address: 1086E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8F60FAA5C4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086E31 second address: 1086E57 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F8F60F8A966h 0x00000009 jns 00007F8F60F8A966h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8F60F8A974h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086E57 second address: 1086E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086E5B second address: 1086E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F8F60F8A982h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A605 second address: 108A62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5C8h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F8F60FAA5B6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A62C second address: 108A63A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A96Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A63A second address: 108A64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60FAA5BBh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108CBE7 second address: 108CBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108CE81 second address: 108CE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108CE85 second address: 108CE92 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108F26F second address: 108F283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109437B second address: 109437F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109437F second address: 1094383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10947DE second address: 10947E8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8F60F8A96Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C849 second address: 104C8E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jo 00007F8F60FAA5BCh 0x00000012 mov ecx, dword ptr [ebp+122D19CDh] 0x00000018 mov ebx, dword ptr [ebp+1248B93Bh] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F8F60FAA5B8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov dword ptr [ebp+1244DF97h], eax 0x0000003e add eax, ebx 0x00000040 mov dword ptr [ebp+124823EEh], edi 0x00000046 mov edx, dword ptr [ebp+122D370Eh] 0x0000004c push eax 0x0000004d jmp 00007F8F60FAA5C9h 0x00000052 mov dword ptr [esp], eax 0x00000055 jmp 00007F8F60FAA5BCh 0x0000005a mov ecx, dword ptr [ebp+122D38CAh] 0x00000060 push 00000004h 0x00000062 push eax 0x00000063 pushad 0x00000064 je 00007F8F60FAA5BCh 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C8E8 second address: 104C8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C8F0 second address: 104C8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1094A5B second address: 1094A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10982F5 second address: 10982FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097AA2 second address: 1097AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1098080 second address: 1098086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE35 second address: 109BE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F60F8A970h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE4A second address: 109BE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE50 second address: 109BE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F60F8A977h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE70 second address: 109BE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BE74 second address: 109BEBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A978h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnp 00007F8F60F8A972h 0x00000014 ja 00007F8F60F8A966h 0x0000001a jc 00007F8F60F8A966h 0x00000020 jmp 00007F8F60F8A96Dh 0x00000025 push ecx 0x00000026 push edx 0x00000027 pop edx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BEBC second address: 109BEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFB2F4 second address: FFB301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B187 second address: 109B18F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B18F second address: 109B199 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B199 second address: 109B19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B315 second address: 109B348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F8F60F8A96Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d jns 00007F8F60F8A966h 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F8F60F8A966h 0x0000001b jmp 00007F8F60F8A978h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B492 second address: 109B496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B5C1 second address: 109B5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F8F60F8A966h 0x0000000d jmp 00007F8F60F8A96Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4488 second address: 10A44A0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8F60FAA5B6h 0x00000008 jo 00007F8F60FAA5B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 jg 00007F8F60FAA5B6h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF6214 second address: FF6266 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8F60F8A96Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jmp 00007F8F60F8A975h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F8F60F8A96Ch 0x0000001a popad 0x0000001b push ebx 0x0000001c jno 00007F8F60F8A966h 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 jng 00007F8F60F8A966h 0x0000002d jnc 00007F8F60F8A966h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF6266 second address: FF626A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A2587 second address: 10A25BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8F60F8A977h 0x00000008 pop ecx 0x00000009 jmp 00007F8F60F8A977h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A30FE second address: 10A3103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A3103 second address: 10A312B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8F60F8A966h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 js 00007F8F60F8A966h 0x00000018 jns 00007F8F60F8A966h 0x0000001e popad 0x0000001f pushad 0x00000020 ja 00007F8F60F8A966h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A312B second address: 10A313E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A313E second address: 10A3143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A3143 second address: 10A3156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F60FAA5BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A3C1B second address: 10A3C37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A978h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4170 second address: 10A4178 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4178 second address: 10A418B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F8F60F8A966h 0x00000009 jnl 00007F8F60F8A966h 0x0000000f pop esi 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A418B second address: 10A4191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A9EBA second address: 10A9ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F8F60F8A96Ah 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A9ED6 second address: 10A9EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F8F60FAA5B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ADAD9 second address: 10ADADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ADADD second address: 10ADAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ADAF2 second address: 10ADB10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A970h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8F60F8A96Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACE52 second address: 10ACE8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F8F60FAA5C9h 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACE8B second address: 10ACE99 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F8F60F8A966h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACE99 second address: 10ACE9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACFDB second address: 10ACFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACFE0 second address: 10AD00A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F8F60FAA5C2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AD1E8 second address: 10AD202 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F60F8A966h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F8F60F8A96Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AD369 second address: 10AD36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AD36D second address: 10AD38C instructions: 0x00000000 rdtsc 0x00000002 js 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8F60F8A972h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AD4F3 second address: 10AD4F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B6D72 second address: 10B6D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BD5D3 second address: 10BD5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BD5D7 second address: 10BD5E1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C80F5 second address: 10C80F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBAFF second address: 10CBB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8F60F8A966h 0x0000000a jmp 00007F8F60F8A96Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F8F60F8A966h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBB1E second address: 10CBB24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBB24 second address: 10CBB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBB39 second address: 10CBB45 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F8F60FAA5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9856 second address: FF9873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8F60F8A974h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9873 second address: FF9879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9879 second address: FF987D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF987D second address: FF9881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB9A4 second address: 10CB9BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A96Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jnp 00007F8F60F8A966h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DF13D second address: 10DF147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8F60FAA5B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DF147 second address: 10DF156 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jp 00007F8F60F8A966h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DF156 second address: 10DF165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DF165 second address: 10DF169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E914D second address: 10E9151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E9151 second address: 10E9155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7D1E second address: 10E7D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7E82 second address: 10E7E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F8F60F8A966h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7E91 second address: 10E7E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8130 second address: 10E8141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8F60F8A96Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8141 second address: 10E8165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F8F60FAA5B6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF684 second address: 10EF688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF688 second address: 10EF68C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF68C second address: 10EF698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF698 second address: 10EF6A2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F60FAA5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF24D second address: 10EF258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8F60F8A966h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF258 second address: 10EF25D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF25D second address: 10EF279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8F60F8A966h 0x0000000a pop esi 0x0000000b pushad 0x0000000c jnp 00007F8F60F8A966h 0x00000012 jbe 00007F8F60F8A966h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF39C second address: 10EF3B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60FAA5BCh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF3B2 second address: 10EF3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A978h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8F60F8A970h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EF3E2 second address: 10EF3EF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F60FAA5B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0CBD second address: 10F0CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB6B4 second address: 10FB6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB6BA second address: 10FB6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8F60F8A96Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F8F60F8A966h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB6D9 second address: 10FB6E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1102AA5 second address: 1102AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F680 second address: 110F684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F684 second address: 110F68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F68A second address: 110F692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F692 second address: 110F69F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F7D8 second address: 110F7DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1128366 second address: 112837D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F60F8A973h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11271BA second address: 11271DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8F60FAA5C3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11271DA second address: 11271E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127370 second address: 1127376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127376 second address: 1127390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8F60F8A96Bh 0x0000000e jnc 00007F8F60F8A966h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127390 second address: 11273A4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8F60FAA5B6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F8F60FAA5BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11277B0 second address: 11277C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F60F8A96Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127A89 second address: 1127AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F8F60FAA5C2h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jnp 00007F8F60FAA5B6h 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8F60FAA5C8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127AC4 second address: 1127AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127D4A second address: 1127D5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127D5C second address: 1127D79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F60F8A978h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127EC5 second address: 1127F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jnp 00007F8F60FAA5B8h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push esi 0x00000015 pop esi 0x00000016 push edx 0x00000017 pop edx 0x00000018 jmp 00007F8F60FAA5BBh 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F8F60FAA5C4h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127F04 second address: 1127F08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1127F08 second address: 1127F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112805A second address: 112806B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112806B second address: 112806F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112806F second address: 1128079 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8F60F8A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1128079 second address: 112808C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F60FAA5BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129A6D second address: 1129A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F8F60F8A966h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129A7C second address: 1129A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C565 second address: 112C5A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+122D1847h], eax 0x00000011 push 00000004h 0x00000013 jmp 00007F8F60F8A96Dh 0x00000018 stc 0x00000019 call 00007F8F60F8A969h 0x0000001e push eax 0x0000001f push edx 0x00000020 jne 00007F8F60F8A977h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C5A8 second address: 112C608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8F60FAA5C0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F8F60FAA5C7h 0x00000014 jng 00007F8F60FAA5C7h 0x0000001a jmp 00007F8F60FAA5C1h 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F8F60FAA5C1h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C608 second address: 112C63D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A974h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8F60F8A978h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C807 second address: 112C80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C80C second address: 112C8F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A972h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F8F60F8A976h 0x00000010 jnc 00007F8F60F8A968h 0x00000016 popad 0x00000017 nop 0x00000018 call 00007F8F60F8A977h 0x0000001d add dh, 00000073h 0x00000020 pop edx 0x00000021 push dword ptr [ebp+122D2089h] 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007F8F60F8A968h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 sub dword ptr [ebp+122D1A14h], ebx 0x00000047 call 00007F8F60F8A969h 0x0000004c jnc 00007F8F60F8A97Fh 0x00000052 push eax 0x00000053 jmp 00007F8F60F8A975h 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c jg 00007F8F60F8A973h 0x00000062 mov eax, dword ptr [eax] 0x00000064 je 00007F8F60F8A974h 0x0000006a push eax 0x0000006b push edx 0x0000006c jp 00007F8F60F8A966h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C8F3 second address: 112C914 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push edi 0x0000000c jmp 00007F8F60FAA5C0h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30B4F second address: 4C30B79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60F8A971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8F60F8A96Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30B79 second address: 4C30B7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30B7E second address: 4C30C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b pushad 0x0000000c mov ecx, ebx 0x0000000e jmp 00007F8F60F8A96Bh 0x00000013 popad 0x00000014 jns 00007F8F60F8A9D9h 0x0000001a jmp 00007F8F60F8A976h 0x0000001f add eax, ecx 0x00000021 pushad 0x00000022 call 00007F8F60F8A96Eh 0x00000027 pushfd 0x00000028 jmp 00007F8F60F8A972h 0x0000002d and cx, ED08h 0x00000032 jmp 00007F8F60F8A96Bh 0x00000037 popfd 0x00000038 pop eax 0x00000039 pushfd 0x0000003a jmp 00007F8F60F8A979h 0x0000003f jmp 00007F8F60F8A96Bh 0x00000044 popfd 0x00000045 popad 0x00000046 mov eax, dword ptr [eax+00000860h] 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F8F60F8A975h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C2E second address: 4C30C4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C4B second address: 4C30C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C4F second address: 4C30C62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F60FAA5BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C62 second address: 4C30C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C68 second address: 4C30C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C6C second address: 4C30C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F8FD2F60A51h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8F60F8A96Ah 0x00000015 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E93A9B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 10384EB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1036AC3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1063D3D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E939D0 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 5056

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1511187178.0000000001018000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1510744552.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: file.exe, 00000000.00000003.1497664141.0000000000953000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1510805596.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1511187178.0000000001018000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E75BB0 LdrInitializeThunk,

0_2_00E75BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.1511187178.0000000001018000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: XProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

ID:	1529190
Product:	CloudBasic
Start time:	18:25:10
Start date:	08.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	59c457152e84c2e83bb22799dda88a9d
SHA1:	bdff2120b60a7f4aa314fa2b4bb9d17b6e08ad40
SHA256:	9ebca3ec6dfea0b0b7651f739ee00adc72de0984a943f855bb5cde41198cc4bf
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by