Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1529360
MD5:	0d807d16e7731b2dd9cb3048b3a13f14
SHA1:	bbb157924fdaa9990df2254d740495c95f15c1c8
SHA256:	08643496ffbec35a84e902dbdbfe27b8b1043d66627dec62d3c6a2f0de76111c
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.5960.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "studennotediw.storec", "spirittunek.storec", "licendfilteo.sitec", "dissapoiznw.storec", "eaglepawnoy.storec", "bathdoomgaz.storec", "mobbipenju.store"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004BD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004BD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_004F63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_004F695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_004F99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_004BFCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_004C0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_004F4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_004B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_004C6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_004EF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004F6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_004DD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_004D2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_004D2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_004BA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_004F1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004CD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_004DC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_004CB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_004F64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004D9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_004F7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_004B8590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_004EB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_004F7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_004F67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_004D28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_004CD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_004F3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_004B49A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_004F4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_004B5A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004C1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004C1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_004F9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_004C1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_004E0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_004DEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_004D7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_004EFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_004F9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004DAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_004DAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_004DFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_004DAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004D7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004D5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_004C4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_004C1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_004B6EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_004C6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_004BBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004D9F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004EFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_004CFFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004F5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004B8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_004C6F91

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:53279 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:54230 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:61521 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:52865 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:51109 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:60343 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:53377 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:56997 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.storec
Source: Malware configuration extractor	URLs: spirittunek.storec
Source: Malware configuration extractor	URLs: licendfilteo.sitec
Source: Malware configuration extractor	URLs: dissapoiznw.storec
Source: Malware configuration extractor	URLs: eaglepawnoy.storec
Source: Malware configuration extractor	URLs: bathdoomgaz.storec
Source: Malware configuration extractor	URLs: mobbipenju.store

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=3bec567ad78964e101629a82; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 20:32:04 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2161915191.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148020075.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162953308.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.u
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2161915191.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148020075.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162953308.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900IF
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C0228	0_2_004C0228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F4040	0_2_004F4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027	0_2_00639027
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B1000	0_2_004B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007	0_2_0062E007
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C2030	0_2_004C2030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FA0D0	0_2_004FA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154	0_2_005A4154
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B5160	0_2_004B5160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B71F0	0_2_004B71F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067F184	0_2_0067F184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BE1A0	0_2_004BE1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E82D0	0_2_004E82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E12D0	0_2_004E12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B12F7	0_2_004B12F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BA300	0_2_004BA300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BC327	0_2_005BC327
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E23E0	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B13A3	0_2_004B13A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BB3A0	0_2_004BB3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DC470	0_2_004DC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E64F0	0_2_004E64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C4487	0_2_004C4487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C049B	0_2_004C049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CC5F0	0_2_004CC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B8590	0_2_004B8590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B35B0	0_2_004B35B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B164F	0_2_004B164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8652	0_2_004F8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EF620	0_2_004EF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F86F0	0_2_004F86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067D6AE	0_2_0067D6AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068269F	0_2_0068269F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BA850	0_2_004BA850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E1860	0_2_004E1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EB8C0	0_2_004EB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068C8AF	0_2_0068C8AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EE8A0	0_2_004EE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006879CA	0_2_006879CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066F9CC	0_2_0066F9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D098B	0_2_004D098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F89A0	0_2_004F89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F4A40	0_2_004F4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00613A5C	0_2_00613A5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00584AC2	0_2_00584AC2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8A80	0_2_004F8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7AB0	0_2_004F7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CDB6F	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00685B04	0_2_00685B04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B7BF0	0_2_004B7BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8C02	0_2_004F8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DCCD0	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00680CA9	0_2_00680CA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F6CBF	0_2_004F6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068AC9E	0_2_0068AC9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D8D62	0_2_004D8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068FD33	0_2_0068FD33
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFD10	0_2_004DFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DDD29	0_2_004DDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DAE57	0_2_004DAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8E70	0_2_004F8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C4E2A	0_2_004C4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6EBF	0_2_004C6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BBEB0	0_2_004BBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BAF10	0_2_004BAF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7FC0	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B8FD0	0_2_004B8FD0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004CD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004BCAA0 appears 48 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9991555796204621
Source: file.exe	Static PE information: Section: ozuzauxt ZLIB complexity 0.9943338877436282

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004E8220 CoCreateInstance,

0_2_004E8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 1877504 > 1048576

Source: file.exe

Static PE information: Raw size of ozuzauxt is bigger than: 0x100000 < 0x1a0e00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.4b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ozuzauxt:EW;ytfcriws:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ozuzauxt:EW;ytfcriws:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1cd145 should be: 0x1cc6dd

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: ozuzauxt
Source: file.exe	Static PE information: section name: ytfcriws
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B075 push edx; mov dword ptr [esp], edi	0_2_0070B0A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B075 push esi; mov dword ptr [esp], ebx	0_2_0070B0E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00740047 push 6D01DCE5h; mov dword ptr [esp], ebp	0_2_0074009B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00740047 push 64E0DDCCh; mov dword ptr [esp], ebp	0_2_007400A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push 4693473Ah; mov dword ptr [esp], edi	0_2_00639094
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push ecx; mov dword ptr [esp], 51F38AB1h	0_2_00639109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push edx; mov dword ptr [esp], ecx	0_2_00639122
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push ebx; mov dword ptr [esp], edx	0_2_00639166
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051700C push 4D05D28Eh; mov dword ptr [esp], edi	0_2_0051701A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push ecx; mov dword ptr [esp], eax	0_2_0062E092
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 1AD169D8h; mov dword ptr [esp], ebp	0_2_0062E09F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push ecx; mov dword ptr [esp], ebx	0_2_0062E117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 6818DB30h; mov dword ptr [esp], edx	0_2_0062E1C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 2404245Eh; mov dword ptr [esp], ecx	0_2_0062E1DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 68EDDB47h; mov dword ptr [esp], esp	0_2_0062E22B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push edx; mov dword ptr [esp], edi	0_2_0062E283
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push edi; mov dword ptr [esp], edx	0_2_0062E287
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631009 push 1CC71398h; mov dword ptr [esp], esi	0_2_00631071
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631009 push 07FADA7Ch; mov dword ptr [esp], edx	0_2_0063108B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007060E5 push 18A9FF50h; mov dword ptr [esp], esp	0_2_0070612A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push 43423898h; mov dword ptr [esp], eax	0_2_00962049
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push eax; mov dword ptr [esp], ecx	0_2_00962089
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push edx; mov dword ptr [esp], 5D7516ADh	0_2_009620DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push esi; mov dword ptr [esp], edi	0_2_00962109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push eax; mov dword ptr [esp], 7EDF8732h	0_2_00962117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 65A6466Ah; mov dword ptr [esp], ecx	0_2_005A4198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 4660C1A0h; mov dword ptr [esp], ebx	0_2_005A41BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 273572B0h; mov dword ptr [esp], ecx	0_2_005A41E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push ebp; mov dword ptr [esp], edi	0_2_005A4261
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096218D push edx; mov dword ptr [esp], eax	0_2_009621CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096218D push ebx; mov dword ptr [esp], 7C2DF0D9h	0_2_009621E9

Source: file.exe	Static PE information: section name: entropy: 7.966805914787849
Source: file.exe	Static PE information: section name: ozuzauxt entropy: 7.954408538139141

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 513CE1 second address: 513CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FB3 second address: 694FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FBB second address: 694FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FC6 second address: 694FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694036 second address: 69403C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69403C second address: 69404B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69404B second address: 69408A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F59A4B60A32h 0x00000013 jmp 00007F59A4B60A1Dh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694237 second address: 694290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45084h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F59A4B4507Fh 0x00000010 popad 0x00000011 push edi 0x00000012 jnp 00007F59A4B45076h 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F59A4B4507Eh 0x00000022 jp 00007F59A4B45076h 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a jnc 00007F59A4B45086h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69459F second address: 6945A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6945A5 second address: 6945A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6945A9 second address: 6945BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007F59A4B60A16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F59A4B60A16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69473D second address: 694743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694743 second address: 694747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694747 second address: 69475B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696ECF second address: 696ED9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696ED9 second address: 696EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696EDE second address: 513CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 1EBA13FBh 0x0000000e or dword ptr [ebp+122D25DBh], ebx 0x00000014 push dword ptr [ebp+122D0019h] 0x0000001a mov dword ptr [ebp+122D25DBh], eax 0x00000020 call dword ptr [ebp+122D1907h] 0x00000026 pushad 0x00000027 jmp 00007F59A4B60A23h 0x0000002c xor eax, eax 0x0000002e jnl 00007F59A4B60A1Ch 0x00000034 mov dword ptr [ebp+122D1ACDh], esi 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e pushad 0x0000003f call 00007F59A4B60A23h 0x00000044 mov eax, dword ptr [ebp+122D2C91h] 0x0000004a pop ecx 0x0000004b sub dword ptr [ebp+122D1BB2h], esi 0x00000051 popad 0x00000052 mov dword ptr [ebp+122D2C35h], eax 0x00000058 pushad 0x00000059 mov ax, EDDDh 0x0000005d adc di, 6200h 0x00000062 popad 0x00000063 mov esi, 0000003Ch 0x00000068 xor dword ptr [ebp+122D1BB2h], edx 0x0000006e add esi, dword ptr [esp+24h] 0x00000072 stc 0x00000073 lodsw 0x00000075 jo 00007F59A4B60A17h 0x0000007b clc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 mov dword ptr [ebp+122D1BB2h], edx 0x00000086 js 00007F59A4B60A1Ch 0x0000008c sub dword ptr [ebp+122D1BB2h], ebx 0x00000092 mov ebx, dword ptr [esp+24h] 0x00000096 jno 00007F59A4B60A1Dh 0x0000009c push eax 0x0000009d pushad 0x0000009e pushad 0x0000009f push eax 0x000000a0 push edx 0x000000a1 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696F32 second address: 696F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697157 second address: 69715B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69715B second address: 697169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697169 second address: 69716D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69716D second address: 697171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697171 second address: 697177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697177 second address: 69717D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69717D second address: 697181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8BA6 second address: 6B8BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8BAA second address: 6B8BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007F59A4B60A1Ah 0x0000000d jnc 00007F59A4B60A2Eh 0x00000013 pushad 0x00000014 je 00007F59A4B60A16h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B69F3 second address: 6B6A06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F59A4B4507Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A06 second address: 6B6A0B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A0B second address: 6B6A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45081h 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A2E second address: 6B6A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A34 second address: 6B6A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A39 second address: 6B6A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A3E second address: 6B6A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6CF7 second address: 6B6D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F59A4B60A1Fh 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E4A second address: 6B6E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E4F second address: 6B6E5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007F59A4B60A16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E5A second address: 6B6E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F59A4B45076h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B76C4 second address: 6B7700 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F59A4B60A20h 0x00000008 pop edx 0x00000009 jmp 00007F59A4B60A1Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F59A4B60A27h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7700 second address: 6B7704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7704 second address: 6B7717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007F59A4B60A16h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7717 second address: 6B771F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B82C4 second address: 6B82CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8490 second address: 6B8496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8617 second address: 6B861C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8780 second address: 6B8786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8A67 second address: 6B8A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8A6B second address: 6B8A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BC1D0 second address: 6BC1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F59A4B60A16h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF702 second address: 6BF706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BFB36 second address: 6BFB3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BE543 second address: 6BE548 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1907 second address: 6C190B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C190B second address: 6C1911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F8A1 second address: 68F8A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F8A7 second address: 68F8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FAD second address: 6C6FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FB1 second address: 6C6FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FB7 second address: 6C6FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F59A4B60A16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FC3 second address: 6C6FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7420 second address: 6C7431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F59A4B60A16h 0x00000009 jl 00007F59A4B60A16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7431 second address: 6C7439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7439 second address: 6C743F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C75C7 second address: 6C7602 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Dh 0x00000007 jmp 00007F59A4B45089h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F59A4B45081h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7602 second address: 6C7610 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B60A18h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7610 second address: 6C7639 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F59A4B45076h 0x00000011 jmp 00007F59A4B45083h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9CE0 second address: 6C9CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9D64 second address: 6C9D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9D68 second address: 6C9DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 jmp 00007F59A4B60A29h 0x0000000e pop ebx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 ja 00007F59A4B60A32h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F59A4B60A28h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9DCD second address: 6C9DF4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F59A4B4507Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B45081h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9DF4 second address: 6C9E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F59A4B60A28h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F59A4B60A18h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 adc edi, 747A53AAh 0x0000002c push 138D89DDh 0x00000031 pushad 0x00000032 push ecx 0x00000033 pushad 0x00000034 popad 0x00000035 pop ecx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9E43 second address: 6C9E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CA8E5 second address: 6CA8EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CAD58 second address: 6CAD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CAE1E second address: 6CAE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F59A4B60A16h 0x0000000a popad 0x0000000b jl 00007F59A4B60A28h 0x00000011 jmp 00007F59A4B60A22h 0x00000016 popad 0x00000017 push eax 0x00000018 jo 00007F59A4B60A2Eh 0x0000001e pushad 0x0000001f jmp 00007F59A4B60A20h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68079B second address: 6807C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B4507Dh 0x00000008 jmp 00007F59A4B4507Bh 0x0000000d push edi 0x0000000e pop edi 0x0000000f jng 00007F59A4B45076h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCAC second address: 6CBCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCB0 second address: 6CBCB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCB4 second address: 6CBCBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCBA second address: 6CBCC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CF07C second address: 6CF081 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0567 second address: 6D056B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D056B second address: 6D0577 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0577 second address: 6D057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D057C second address: 6D0582 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0582 second address: 6D0586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0586 second address: 6D05B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a sub ecx, dword ptr [ebp+122DBDD3h] 0x00000010 mov edx, dword ptr [ebp+122D1A7Ch] 0x00000016 popad 0x00000017 push 00000000h 0x00000019 sub dword ptr [ebp+124587E6h], esi 0x0000001f push 00000000h 0x00000021 mov edi, dword ptr [ebp+122D2D51h] 0x00000027 push eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D05B3 second address: 6D05C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B4507Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0FE2 second address: 6D0FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1C35 second address: 6D1C9C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F59A4B45078h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F59A4B45078h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 push 00000000h 0x00000044 mov dword ptr [ebp+122D17CAh], ebx 0x0000004a mov edi, dword ptr [ebp+122D233Ch] 0x00000050 xchg eax, ebx 0x00000051 pushad 0x00000052 je 00007F59A4B45078h 0x00000058 push ecx 0x00000059 pop ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c push edx 0x0000005d pop edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D35FF second address: 6D3609 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F59A4B60A16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D5F80 second address: 6D5F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D5F84 second address: 6D5F8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1954 second address: 6D195A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D921A second address: 6D9220 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA1C7 second address: 6DA23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B45088h 0x00000008 jmp 00007F59A4B45087h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 pushad 0x00000012 jmp 00007F59A4B4507Ch 0x00000017 mov esi, dword ptr [ebp+122D325Ah] 0x0000001d popad 0x0000001e push 00000000h 0x00000020 cmc 0x00000021 push 00000000h 0x00000023 jmp 00007F59A4B4507Eh 0x00000028 xchg eax, esi 0x00000029 pushad 0x0000002a je 00007F59A4B45084h 0x00000030 jmp 00007F59A4B4507Eh 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA23E second address: 6DA242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA242 second address: 6DA250 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA250 second address: 6DA254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA254 second address: 6DA25A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA366 second address: 6DA36A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA36A second address: 6DA370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA370 second address: 6DA376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA376 second address: 6DA37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA37A second address: 6DA37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA43C second address: 6DA440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA440 second address: 6DA455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DD1E8 second address: 6DD254 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B4507Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F59A4B45078h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 or di, D900h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F59A4B45078h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F59A4B45081h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB57D second address: 6DB586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB586 second address: 6DB58A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB58A second address: 6DB598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB598 second address: 6DB5A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE287 second address: 6DE28B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE28B second address: 6DE299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F59A4B4507Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E0347 second address: 6E034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E034D second address: 6E03BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F59A4B45081h 0x0000000a popad 0x0000000b nop 0x0000000c stc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F59A4B45078h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+1247C0C9h] 0x0000002f push 00000000h 0x00000031 jne 00007F59A4B45082h 0x00000037 xchg eax, esi 0x00000038 jnc 00007F59A4B4507Ah 0x0000003e push eax 0x0000003f pushad 0x00000040 pushad 0x00000041 jno 00007F59A4B45076h 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E03BC second address: 6E03C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE44E second address: 6DE454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DF51B second address: 6DF520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E34D1 second address: 6E34DB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E05F3 second address: 6E05FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E34DB second address: 6E3551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add bh, 0000004Bh 0x0000000f push 00000000h 0x00000011 xor edi, dword ptr [ebp+122D2B4Dh] 0x00000017 xor bh, FFFFFFE2h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F59A4B45078h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 sbb ebx, 2F464C63h 0x0000003c xchg eax, esi 0x0000003d jmp 00007F59A4B45085h 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F59A4B4507Bh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E2670 second address: 6E2675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E457E second address: 6E4584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4584 second address: 6E4588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4588 second address: 6E45B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e nop 0x0000000f add dword ptr [ebp+12456E72h], ebx 0x00000015 push 00000000h 0x00000017 mov bx, 8FBEh 0x0000001b push 00000000h 0x0000001d adc di, 07DCh 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push edi 0x00000026 push edx 0x00000027 pop edx 0x00000028 pop edi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E7F75 second address: 6E7F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E7F7B second address: 6E7F85 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B4507Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD35 second address: 6ECD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD40 second address: 6ECD44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD44 second address: 6ECD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ecx 0x0000000a jmp 00007F59A4B60A1Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007F59A4B60A16h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC6E9 second address: 6EC6ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC82C second address: 6EC830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC830 second address: 6EC85A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F59A4B45086h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F59A4B45076h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC85A second address: 6EC85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFB5C second address: 6EFBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F59A4B45087h 0x0000000e jmp 00007F59A4B45081h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 jg 00007F59A4B45086h 0x0000001e pop eax 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 pushad 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 jc 00007F59A4B45076h 0x0000002b popad 0x0000002c jmp 00007F59A4B45081h 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFBC0 second address: 6EFBC6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFBC6 second address: 6EFBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F59A4B45076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFD9F second address: 6EFDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFDA3 second address: 6EFDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F59A4B4507Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFDBC second address: 6EFDF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F59A4B60A27h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFEAF second address: 6EFEB9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFEB9 second address: 6EFECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F7A0B second address: 6F7A15 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F810F second address: 6F8115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8115 second address: 6F8119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8119 second address: 6F8127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F59A4B60A16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8127 second address: 6F813A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F813A second address: 6F8140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8140 second address: 6F8144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8144 second address: 6F816A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F59A4B60A36h 0x0000000e jnc 00007F59A4B60A18h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F59A4B60A1Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCE5 second address: 6FBCEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCEF second address: 6FBCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCF4 second address: 6FBCFE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F59A4B4507Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCFE second address: 6FBD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD0E second address: 6FBD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD12 second address: 6FBD16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD16 second address: 6FBD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD1C second address: 6FBD37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F59A4B60A16h 0x0000000b jmp 00007F59A4B60A1Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 700DE9 second address: 700E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45083h 0x00000009 popad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jl 00007F59A4B4507Eh 0x00000016 jc 00007F59A4B45076h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jg 00007F59A4B45076h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706D19 second address: 706D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70596B second address: 705994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F59A4B45076h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F59A4B45089h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705E90 second address: 705EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007F59A4B60A1Bh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F59A4B60A22h 0x00000014 jmp 00007F59A4B60A21h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705EC8 second address: 705ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705ECE second address: 705ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7062E6 second address: 7062FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59A4B45076h 0x00000008 jmp 00007F59A4B4507Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7064A9 second address: 7064C9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F59A4B60A26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706779 second address: 70677E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70677E second address: 706788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7054E4 second address: 705511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F59A4B4507Eh 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F59A4B45080h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70BBFA second address: 70BBFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70BBFE second address: 70BC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B30 second address: 6C8B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B3C second address: 6C8B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B4D second address: 513CE1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movsx ecx, dx 0x0000000c push dword ptr [ebp+122D0019h] 0x00000012 or ecx, dword ptr [ebp+122D1839h] 0x00000018 mov edx, dword ptr [ebp+122D17B9h] 0x0000001e call dword ptr [ebp+122D1907h] 0x00000024 pushad 0x00000025 jmp 00007F59A4B60A23h 0x0000002a xor eax, eax 0x0000002c jnl 00007F59A4B60A1Ch 0x00000032 mov dword ptr [ebp+122D1ACDh], esi 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c pushad 0x0000003d call 00007F59A4B60A23h 0x00000042 mov eax, dword ptr [ebp+122D2C91h] 0x00000048 pop ecx 0x00000049 sub dword ptr [ebp+122D1BB2h], esi 0x0000004f popad 0x00000050 mov dword ptr [ebp+122D2C35h], eax 0x00000056 pushad 0x00000057 mov ax, EDDDh 0x0000005b adc di, 6200h 0x00000060 popad 0x00000061 mov esi, 0000003Ch 0x00000066 xor dword ptr [ebp+122D1BB2h], edx 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 stc 0x00000071 lodsw 0x00000073 jo 00007F59A4B60A17h 0x00000079 clc 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e mov dword ptr [ebp+122D1BB2h], edx 0x00000084 js 00007F59A4B60A1Ch 0x0000008a sub dword ptr [ebp+122D1BB2h], ebx 0x00000090 mov ebx, dword ptr [esp+24h] 0x00000094 jno 00007F59A4B60A1Dh 0x0000009a push eax 0x0000009b pushad 0x0000009c pushad 0x0000009d push eax 0x0000009e push edx 0x0000009f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8C6D second address: 6C8C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8C85 second address: 6C8C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8F38 second address: 6C8F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C95B3 second address: 6C95C8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F59A4B60A16h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C95C8 second address: 6C9631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F59A4B45078h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D1BCCh], esi 0x00000028 and dx, EDDDh 0x0000002d push 0000001Eh 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F59A4B45078h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 xor dword ptr [ebp+122D25DBh], edi 0x0000004f nop 0x00000050 jnc 00007F59A4B4507Ah 0x00000056 push eax 0x00000057 pushad 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C994B second address: 6C9951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9A36 second address: 6C9A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9A3C second address: 6AFE78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F59A4B60A16h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dword ptr [ebp+122D3A97h], edx 0x00000013 lea eax, dword ptr [ebp+124883DFh] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F59A4B60A18h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov edi, dword ptr [ebp+122D318Bh] 0x00000039 push eax 0x0000003a js 00007F59A4B60A1Eh 0x00000040 push esi 0x00000041 jnl 00007F59A4B60A16h 0x00000047 pop esi 0x00000048 mov dword ptr [esp], eax 0x0000004b mov dword ptr [ebp+1247C712h], esi 0x00000051 call dword ptr [ebp+122D1AF2h] 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jbe 00007F59A4B60A16h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AC64 second address: 70AC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B4507Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AC9C second address: 70ACA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACA0 second address: 70ACB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jo 00007F59A4B450BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACB3 second address: 70ACBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACBD second address: 70ACD9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B4507Eh 0x0000000d jne 00007F59A4B45076h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8D43 second address: 6C8DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A1Ah 0x00000009 popad 0x0000000a xor dword ptr [esp], 24DE73ABh 0x00000011 call 00007F59A4B60A24h 0x00000016 jmp 00007F59A4B60A28h 0x0000001b pop ecx 0x0000001c call 00007F59A4B60A19h 0x00000021 jmp 00007F59A4B60A26h 0x00000026 push eax 0x00000027 jmp 00007F59A4B60A1Dh 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push esi 0x00000034 pop esi 0x00000035 jmp 00007F59A4B60A22h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFC0 second address: 70AFC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFC4 second address: 70AFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F59A4B60A1Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F59A4B60A22h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFF7 second address: 70AFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFFC second address: 70B002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B122 second address: 70B154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45081h 0x00000009 popad 0x0000000a push edx 0x0000000b jnl 00007F59A4B45076h 0x00000011 jg 00007F59A4B45076h 0x00000017 pop edx 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c popad 0x0000001d push edi 0x0000001e jng 00007F59A4B4507Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B5F2 second address: 70B62D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Ah 0x00000007 jmp 00007F59A4B60A1Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B60A26h 0x00000015 jnl 00007F59A4B60A16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B62D second address: 70B64B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Fh 0x00000007 jmp 00007F59A4B4507Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B64B second address: 70B666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71254E second address: 71255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F59A4B45076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71255C second address: 712561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7111FA second address: 711201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7114F3 second address: 711521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F59A4B60A1Eh 0x0000000d pushad 0x0000000e jmp 00007F59A4B60A20h 0x00000013 jnp 00007F59A4B60A16h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711BAA second address: 711BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F59A4B4507Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711BB9 second address: 711BDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push edi 0x0000000a jmp 00007F59A4B60A25h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711D8B second address: 711D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EC1 second address: 711EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EC6 second address: 711EFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F59A4B45076h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F59A4B45089h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e je 00007F59A4B45076h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EFE second address: 711F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7121B3 second address: 7121B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7121B7 second address: 7121D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F59A4B60A1Eh 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7146C8 second address: 7146CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148B7 second address: 7148BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148BD second address: 7148C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148C1 second address: 7148C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148C5 second address: 7148CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148CB second address: 7148E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59A4B60A23h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 717452 second address: 71745D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F59A4B45076h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71745D second address: 717462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 717462 second address: 717468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE12 second address: 71DE16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE16 second address: 71DE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45085h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F59A4B45082h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE39 second address: 71DE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D66B second address: 71D682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B45082h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D682 second address: 71D688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D7DE second address: 71D7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D7E2 second address: 71D7F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DB56 second address: 71DB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DB5C second address: 71DB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72277C second address: 722782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722782 second address: 72278E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F59A4B60A16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72278E second address: 722793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722793 second address: 722798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228CD second address: 7228D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228D1 second address: 7228EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228EA second address: 72291D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F59A4B45080h 0x0000000b jnc 00007F59A4B45083h 0x00000011 jne 00007F59A4B4507Eh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722A3E second address: 722A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jno 00007F59A4B60A16h 0x0000000c jng 00007F59A4B60A16h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722A57 second address: 722A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C939C second address: 6C9444 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F59A4B60A1Bh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d jnc 00007F59A4B60A18h 0x00000013 pop ecx 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D1BB2h], ebx 0x0000001b mov ebx, dword ptr [ebp+1248841Eh] 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F59A4B60A18h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b mov dx, BE01h 0x0000003f pushad 0x00000040 mov dword ptr [ebp+1247348Ah], edx 0x00000046 jne 00007F59A4B60A1Ch 0x0000004c popad 0x0000004d add eax, ebx 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F59A4B60A18h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 adc dh, 00000052h 0x0000006c push eax 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F59A4B60A28h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BD1 second address: 723BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BD5 second address: 723BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A29h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BF4 second address: 723C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F59A4B45076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72734C second address: 727350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 727623 second address: 727629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC5A second address: 72FC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC5E second address: 72FC62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC62 second address: 72FC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F59A4B60A26h 0x0000000e jmp 00007F59A4B60A1Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72DE9B second address: 72DEBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E86A second address: 72E86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EE27 second address: 72EE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EE2D second address: 72EE76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A20h 0x00000007 jng 00007F59A4B60A16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F59A4B60A23h 0x0000001a jmp 00007F59A4B60A26h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 739625 second address: 73962B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73962B second address: 73963B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F59A4B60A16h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738817 second address: 738830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F59A4B45082h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738830 second address: 738834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7391A6 second address: 7391BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F59A4B45076h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7391BB second address: 7391CD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B60A16h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD14 second address: 73FD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F59A4B4507Ch 0x0000000a jmp 00007F59A4B45085h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 jno 00007F59A4B4507Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD4E second address: 73FD53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD53 second address: 73FD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740158 second address: 74015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74015C second address: 740160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740160 second address: 740166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740166 second address: 74016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74016C second address: 74018E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F59A4B60A16h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F59A4B60A1Ch 0x00000013 jg 00007F59A4B60A18h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7406AE second address: 7406DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F59A4B4507Ch 0x0000000c jnl 00007F59A4B45076h 0x00000012 popad 0x00000013 jl 00007F59A4B45093h 0x00000019 jmp 00007F59A4B4507Dh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7406DA second address: 7406DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F7DA second address: 73F802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007F59A4B45085h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F802 second address: 73F820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F59A4B60A29h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871A4 second address: 6871AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871AF second address: 6871B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871B3 second address: 6871BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7489ED second address: 7489FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7489FB second address: 748A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7570DF second address: 7570EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA0A second address: 75FA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA10 second address: 75FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A1Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA23 second address: 75FA2D instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA2D second address: 75FA32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768302 second address: 768316 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F59A4B45076h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768316 second address: 768330 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F59A4B60A16h 0x00000008 jmp 00007F59A4B60A20h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768330 second address: 768335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768150 second address: 76815A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59A4B60A16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76815A second address: 76817B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F59A4B45085h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76817B second address: 76817F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76817F second address: 7681B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F59A4B45085h 0x00000014 popad 0x00000015 push edi 0x00000016 push edx 0x00000017 pop edx 0x00000018 ja 00007F59A4B45076h 0x0000001e pop edi 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7701F4 second address: 770208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77049F second address: 7704F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F59A4B4507Bh 0x0000000a jmp 00007F59A4B45081h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F59A4B45085h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b jl 00007F59A4B45076h 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F59A4B45082h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 770685 second address: 77068A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77068A second address: 770694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 774679 second address: 77469C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F59A4B60A16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F59A4B60A20h 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77469C second address: 7746AA instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746AA second address: 7746B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746B4 second address: 7746D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F59A4B45082h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746D2 second address: 7746D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77481E second address: 774822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777C9B second address: 777C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777C9F second address: 777CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CA5 second address: 777CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 jmp 00007F59A4B60A1Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CCF second address: 777CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CD3 second address: 777CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CD9 second address: 777CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78753B second address: 78753F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7873A6 second address: 7873DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jnc 00007F59A4B45076h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F59A4B45089h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F59A4B4507Bh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1A5 second address: 7AF1A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1A9 second address: 7AF1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F59A4B45089h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1DC second address: 7AF1F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B60A1Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6D6 second address: 7AF6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6DA second address: 7AF6EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59A4B60A1Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6EE second address: 7AF6F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6F6 second address: 7AF6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6FA second address: 7AF6FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF9CA second address: 7AF9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F59A4B60A16h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFD6E second address: 7AFD84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F59A4B4507Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B5D97 second address: 7B5DA3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B60A16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7D54 second address: 7B7D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E75 second address: 4B10E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E79 second address: 4B10E93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E93 second address: 4B10EA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10EA5 second address: 4B10EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10EA9 second address: 4B10F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F59A4B60A5Ch 0x0000000e jmp 00007F59A4B60A27h 0x00000013 add eax, ecx 0x00000015 pushad 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F59A4B60A22h 0x0000001d and ax, 2D88h 0x00000022 jmp 00007F59A4B60A1Bh 0x00000027 popfd 0x00000028 mov eax, 410F41FFh 0x0000002d popad 0x0000002e popad 0x0000002f mov eax, dword ptr [eax+00000860h] 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F59A4B60A1Dh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10F13 second address: 4B10FB9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F59A4B45080h 0x00000008 sbb esi, 1B2A4318h 0x0000000e jmp 00007F59A4B4507Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ch, 4Ah 0x00000018 popad 0x00000019 test eax, eax 0x0000001b jmp 00007F59A4B4507Bh 0x00000020 je 00007F5A1696AE8Bh 0x00000026 pushad 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F59A4B45082h 0x0000002e adc si, E4A8h 0x00000033 jmp 00007F59A4B4507Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F59A4B45088h 0x0000003f xor ch, 00000008h 0x00000042 jmp 00007F59A4B4507Bh 0x00000047 popfd 0x00000048 popad 0x00000049 mov edi, eax 0x0000004b popad 0x0000004c test byte ptr [eax+04h], 00000005h 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F59A4B45081h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CDFEA second address: 6CDFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CDFEF second address: 6CDFF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 513D6B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6BFBBD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6BE36F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6E7FBF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 74EF0B instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 4508

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2163004974.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162849161.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F5BB0 LdrInitializeThunk,

0_2_004F5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true
sergei-esenin.com	104.21.53.8	true
eaglepawnoy.store	unknown	unknown
bathdoomgaz.store	unknown	unknown
spirittunek.store	unknown	unknown
licendfilteo.site	unknown	unknown
studennotediw.store	unknown	unknown
mobbipenju.store	unknown	unknown
clearancek.site	unknown	unknown
dissapoiznw.store	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dissapoiznw.storec	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
eaglepawnoy.storec	true		unknown
spirittunek.storec	true		unknown
studennotediw.storec	true		unknown
licendfilteo.sitec	true		unknown
clearancek.site	true		unknown
bathdoomgaz.storec	true		unknown
mobbipenju.store	true		unknown
https://sergei-esenin.com/api	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.5960.0.memstrmin

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004BD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004BD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_004F63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_004F695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_004F99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_004BFCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_004C0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_004F4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_004B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_004C6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_004EF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004F6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_004DD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_004D2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_004D2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_004BA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_004F1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004CD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_004DC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_004CB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_004F64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004D9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_004F7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_004B8590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_004EB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_004F7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_004F67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_004D28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_004CD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_004F3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_004B49A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_004F4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_004B5A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004C1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004C1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_004F9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_004C1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_004E0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_004DEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_004D7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_004EFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_004F9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004DAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_004DAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_004DFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_004DAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004D7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004D5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_004C4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_004C1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_004B6EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_004C6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_004BBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004D9F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004EFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_004CFFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004F5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004B8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_004C6F91

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:53279 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:54230 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:61521 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:52865 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:51109 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:60343 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:53377 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:56997 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.storec
Source: Malware configuration extractor	URLs: spirittunek.storec
Source: Malware configuration extractor	URLs: licendfilteo.sitec
Source: Malware configuration extractor	URLs: dissapoiznw.storec
Source: Malware configuration extractor	URLs: eaglepawnoy.storec
Source: Malware configuration extractor	URLs: bathdoomgaz.storec
Source: Malware configuration extractor	URLs: mobbipenju.store

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=3bec567ad78964e101629a82; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 20:32:04 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2161915191.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148020075.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162953308.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.u
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2161915191.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148020075.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162953308.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900IF
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C0228	0_2_004C0228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F4040	0_2_004F4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027	0_2_00639027
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B1000	0_2_004B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007	0_2_0062E007
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C2030	0_2_004C2030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FA0D0	0_2_004FA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154	0_2_005A4154
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B5160	0_2_004B5160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B71F0	0_2_004B71F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067F184	0_2_0067F184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BE1A0	0_2_004BE1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E82D0	0_2_004E82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E12D0	0_2_004E12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B12F7	0_2_004B12F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BA300	0_2_004BA300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BC327	0_2_005BC327
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E23E0	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B13A3	0_2_004B13A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BB3A0	0_2_004BB3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DC470	0_2_004DC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E64F0	0_2_004E64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C4487	0_2_004C4487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C049B	0_2_004C049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CC5F0	0_2_004CC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B8590	0_2_004B8590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B35B0	0_2_004B35B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B164F	0_2_004B164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8652	0_2_004F8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EF620	0_2_004EF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F86F0	0_2_004F86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067D6AE	0_2_0067D6AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068269F	0_2_0068269F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BA850	0_2_004BA850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E1860	0_2_004E1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EB8C0	0_2_004EB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068C8AF	0_2_0068C8AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EE8A0	0_2_004EE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006879CA	0_2_006879CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066F9CC	0_2_0066F9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D098B	0_2_004D098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F89A0	0_2_004F89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F4A40	0_2_004F4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00613A5C	0_2_00613A5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00584AC2	0_2_00584AC2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8A80	0_2_004F8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7AB0	0_2_004F7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CDB6F	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00685B04	0_2_00685B04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B7BF0	0_2_004B7BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8C02	0_2_004F8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DCCD0	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00680CA9	0_2_00680CA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F6CBF	0_2_004F6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068AC9E	0_2_0068AC9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D8D62	0_2_004D8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068FD33	0_2_0068FD33
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFD10	0_2_004DFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DDD29	0_2_004DDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DAE57	0_2_004DAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8E70	0_2_004F8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C4E2A	0_2_004C4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6EBF	0_2_004C6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BBEB0	0_2_004BBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BAF10	0_2_004BAF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7FC0	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B8FD0	0_2_004B8FD0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004CD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004BCAA0 appears 48 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9991555796204621
Source: file.exe	Static PE information: Section: ozuzauxt ZLIB complexity 0.9943338877436282

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004E8220 CoCreateInstance,

0_2_004E8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 1877504 > 1048576

Source: file.exe

Static PE information: Raw size of ozuzauxt is bigger than: 0x100000 < 0x1a0e00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.4b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ozuzauxt:EW;ytfcriws:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ozuzauxt:EW;ytfcriws:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1cd145 should be: 0x1cc6dd

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: ozuzauxt
Source: file.exe	Static PE information: section name: ytfcriws
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B075 push edx; mov dword ptr [esp], edi	0_2_0070B0A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B075 push esi; mov dword ptr [esp], ebx	0_2_0070B0E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00740047 push 6D01DCE5h; mov dword ptr [esp], ebp	0_2_0074009B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00740047 push 64E0DDCCh; mov dword ptr [esp], ebp	0_2_007400A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push 4693473Ah; mov dword ptr [esp], edi	0_2_00639094
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push ecx; mov dword ptr [esp], 51F38AB1h	0_2_00639109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push edx; mov dword ptr [esp], ecx	0_2_00639122
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push ebx; mov dword ptr [esp], edx	0_2_00639166
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051700C push 4D05D28Eh; mov dword ptr [esp], edi	0_2_0051701A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push ecx; mov dword ptr [esp], eax	0_2_0062E092
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 1AD169D8h; mov dword ptr [esp], ebp	0_2_0062E09F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push ecx; mov dword ptr [esp], ebx	0_2_0062E117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 6818DB30h; mov dword ptr [esp], edx	0_2_0062E1C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 2404245Eh; mov dword ptr [esp], ecx	0_2_0062E1DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 68EDDB47h; mov dword ptr [esp], esp	0_2_0062E22B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push edx; mov dword ptr [esp], edi	0_2_0062E283
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push edi; mov dword ptr [esp], edx	0_2_0062E287
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631009 push 1CC71398h; mov dword ptr [esp], esi	0_2_00631071
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631009 push 07FADA7Ch; mov dword ptr [esp], edx	0_2_0063108B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007060E5 push 18A9FF50h; mov dword ptr [esp], esp	0_2_0070612A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push 43423898h; mov dword ptr [esp], eax	0_2_00962049
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push eax; mov dword ptr [esp], ecx	0_2_00962089
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push edx; mov dword ptr [esp], 5D7516ADh	0_2_009620DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push esi; mov dword ptr [esp], edi	0_2_00962109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push eax; mov dword ptr [esp], 7EDF8732h	0_2_00962117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 65A6466Ah; mov dword ptr [esp], ecx	0_2_005A4198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 4660C1A0h; mov dword ptr [esp], ebx	0_2_005A41BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 273572B0h; mov dword ptr [esp], ecx	0_2_005A41E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push ebp; mov dword ptr [esp], edi	0_2_005A4261
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096218D push edx; mov dword ptr [esp], eax	0_2_009621CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096218D push ebx; mov dword ptr [esp], 7C2DF0D9h	0_2_009621E9

Source: file.exe	Static PE information: section name: entropy: 7.966805914787849
Source: file.exe	Static PE information: section name: ozuzauxt entropy: 7.954408538139141

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 513CE1 second address: 513CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FB3 second address: 694FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FBB second address: 694FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FC6 second address: 694FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694036 second address: 69403C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69403C second address: 69404B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69404B second address: 69408A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F59A4B60A32h 0x00000013 jmp 00007F59A4B60A1Dh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694237 second address: 694290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45084h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F59A4B4507Fh 0x00000010 popad 0x00000011 push edi 0x00000012 jnp 00007F59A4B45076h 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F59A4B4507Eh 0x00000022 jp 00007F59A4B45076h 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a jnc 00007F59A4B45086h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69459F second address: 6945A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6945A5 second address: 6945A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6945A9 second address: 6945BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007F59A4B60A16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F59A4B60A16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69473D second address: 694743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694743 second address: 694747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694747 second address: 69475B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696ECF second address: 696ED9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696ED9 second address: 696EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696EDE second address: 513CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 1EBA13FBh 0x0000000e or dword ptr [ebp+122D25DBh], ebx 0x00000014 push dword ptr [ebp+122D0019h] 0x0000001a mov dword ptr [ebp+122D25DBh], eax 0x00000020 call dword ptr [ebp+122D1907h] 0x00000026 pushad 0x00000027 jmp 00007F59A4B60A23h 0x0000002c xor eax, eax 0x0000002e jnl 00007F59A4B60A1Ch 0x00000034 mov dword ptr [ebp+122D1ACDh], esi 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e pushad 0x0000003f call 00007F59A4B60A23h 0x00000044 mov eax, dword ptr [ebp+122D2C91h] 0x0000004a pop ecx 0x0000004b sub dword ptr [ebp+122D1BB2h], esi 0x00000051 popad 0x00000052 mov dword ptr [ebp+122D2C35h], eax 0x00000058 pushad 0x00000059 mov ax, EDDDh 0x0000005d adc di, 6200h 0x00000062 popad 0x00000063 mov esi, 0000003Ch 0x00000068 xor dword ptr [ebp+122D1BB2h], edx 0x0000006e add esi, dword ptr [esp+24h] 0x00000072 stc 0x00000073 lodsw 0x00000075 jo 00007F59A4B60A17h 0x0000007b clc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 mov dword ptr [ebp+122D1BB2h], edx 0x00000086 js 00007F59A4B60A1Ch 0x0000008c sub dword ptr [ebp+122D1BB2h], ebx 0x00000092 mov ebx, dword ptr [esp+24h] 0x00000096 jno 00007F59A4B60A1Dh 0x0000009c push eax 0x0000009d pushad 0x0000009e pushad 0x0000009f push eax 0x000000a0 push edx 0x000000a1 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696F32 second address: 696F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697157 second address: 69715B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69715B second address: 697169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697169 second address: 69716D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69716D second address: 697171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697171 second address: 697177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697177 second address: 69717D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69717D second address: 697181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8BA6 second address: 6B8BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8BAA second address: 6B8BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007F59A4B60A1Ah 0x0000000d jnc 00007F59A4B60A2Eh 0x00000013 pushad 0x00000014 je 00007F59A4B60A16h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B69F3 second address: 6B6A06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F59A4B4507Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A06 second address: 6B6A0B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A0B second address: 6B6A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45081h 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A2E second address: 6B6A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A34 second address: 6B6A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A39 second address: 6B6A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A3E second address: 6B6A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6CF7 second address: 6B6D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F59A4B60A1Fh 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E4A second address: 6B6E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E4F second address: 6B6E5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007F59A4B60A16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E5A second address: 6B6E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F59A4B45076h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B76C4 second address: 6B7700 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F59A4B60A20h 0x00000008 pop edx 0x00000009 jmp 00007F59A4B60A1Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F59A4B60A27h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7700 second address: 6B7704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7704 second address: 6B7717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007F59A4B60A16h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7717 second address: 6B771F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B82C4 second address: 6B82CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8490 second address: 6B8496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8617 second address: 6B861C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8780 second address: 6B8786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8A67 second address: 6B8A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8A6B second address: 6B8A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BC1D0 second address: 6BC1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F59A4B60A16h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF702 second address: 6BF706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BFB36 second address: 6BFB3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BE543 second address: 6BE548 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1907 second address: 6C190B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C190B second address: 6C1911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F8A1 second address: 68F8A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F8A7 second address: 68F8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FAD second address: 6C6FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FB1 second address: 6C6FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FB7 second address: 6C6FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F59A4B60A16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FC3 second address: 6C6FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7420 second address: 6C7431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F59A4B60A16h 0x00000009 jl 00007F59A4B60A16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7431 second address: 6C7439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7439 second address: 6C743F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C75C7 second address: 6C7602 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Dh 0x00000007 jmp 00007F59A4B45089h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F59A4B45081h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7602 second address: 6C7610 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B60A18h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7610 second address: 6C7639 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F59A4B45076h 0x00000011 jmp 00007F59A4B45083h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9CE0 second address: 6C9CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9D64 second address: 6C9D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9D68 second address: 6C9DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 jmp 00007F59A4B60A29h 0x0000000e pop ebx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 ja 00007F59A4B60A32h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F59A4B60A28h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9DCD second address: 6C9DF4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F59A4B4507Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B45081h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9DF4 second address: 6C9E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F59A4B60A28h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F59A4B60A18h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 adc edi, 747A53AAh 0x0000002c push 138D89DDh 0x00000031 pushad 0x00000032 push ecx 0x00000033 pushad 0x00000034 popad 0x00000035 pop ecx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9E43 second address: 6C9E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CA8E5 second address: 6CA8EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CAD58 second address: 6CAD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CAE1E second address: 6CAE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F59A4B60A16h 0x0000000a popad 0x0000000b jl 00007F59A4B60A28h 0x00000011 jmp 00007F59A4B60A22h 0x00000016 popad 0x00000017 push eax 0x00000018 jo 00007F59A4B60A2Eh 0x0000001e pushad 0x0000001f jmp 00007F59A4B60A20h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68079B second address: 6807C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B4507Dh 0x00000008 jmp 00007F59A4B4507Bh 0x0000000d push edi 0x0000000e pop edi 0x0000000f jng 00007F59A4B45076h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCAC second address: 6CBCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCB0 second address: 6CBCB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCB4 second address: 6CBCBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCBA second address: 6CBCC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CF07C second address: 6CF081 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0567 second address: 6D056B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D056B second address: 6D0577 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0577 second address: 6D057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D057C second address: 6D0582 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0582 second address: 6D0586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0586 second address: 6D05B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a sub ecx, dword ptr [ebp+122DBDD3h] 0x00000010 mov edx, dword ptr [ebp+122D1A7Ch] 0x00000016 popad 0x00000017 push 00000000h 0x00000019 sub dword ptr [ebp+124587E6h], esi 0x0000001f push 00000000h 0x00000021 mov edi, dword ptr [ebp+122D2D51h] 0x00000027 push eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D05B3 second address: 6D05C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B4507Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0FE2 second address: 6D0FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1C35 second address: 6D1C9C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F59A4B45078h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F59A4B45078h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 push 00000000h 0x00000044 mov dword ptr [ebp+122D17CAh], ebx 0x0000004a mov edi, dword ptr [ebp+122D233Ch] 0x00000050 xchg eax, ebx 0x00000051 pushad 0x00000052 je 00007F59A4B45078h 0x00000058 push ecx 0x00000059 pop ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c push edx 0x0000005d pop edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D35FF second address: 6D3609 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F59A4B60A16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D5F80 second address: 6D5F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D5F84 second address: 6D5F8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1954 second address: 6D195A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D921A second address: 6D9220 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA1C7 second address: 6DA23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B45088h 0x00000008 jmp 00007F59A4B45087h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 pushad 0x00000012 jmp 00007F59A4B4507Ch 0x00000017 mov esi, dword ptr [ebp+122D325Ah] 0x0000001d popad 0x0000001e push 00000000h 0x00000020 cmc 0x00000021 push 00000000h 0x00000023 jmp 00007F59A4B4507Eh 0x00000028 xchg eax, esi 0x00000029 pushad 0x0000002a je 00007F59A4B45084h 0x00000030 jmp 00007F59A4B4507Eh 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA23E second address: 6DA242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA242 second address: 6DA250 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA250 second address: 6DA254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA254 second address: 6DA25A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA366 second address: 6DA36A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA36A second address: 6DA370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA370 second address: 6DA376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA376 second address: 6DA37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA37A second address: 6DA37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA43C second address: 6DA440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA440 second address: 6DA455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DD1E8 second address: 6DD254 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B4507Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F59A4B45078h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 or di, D900h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F59A4B45078h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F59A4B45081h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB57D second address: 6DB586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB586 second address: 6DB58A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB58A second address: 6DB598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB598 second address: 6DB5A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE287 second address: 6DE28B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE28B second address: 6DE299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F59A4B4507Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E0347 second address: 6E034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E034D second address: 6E03BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F59A4B45081h 0x0000000a popad 0x0000000b nop 0x0000000c stc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F59A4B45078h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+1247C0C9h] 0x0000002f push 00000000h 0x00000031 jne 00007F59A4B45082h 0x00000037 xchg eax, esi 0x00000038 jnc 00007F59A4B4507Ah 0x0000003e push eax 0x0000003f pushad 0x00000040 pushad 0x00000041 jno 00007F59A4B45076h 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E03BC second address: 6E03C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE44E second address: 6DE454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DF51B second address: 6DF520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E34D1 second address: 6E34DB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E05F3 second address: 6E05FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E34DB second address: 6E3551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add bh, 0000004Bh 0x0000000f push 00000000h 0x00000011 xor edi, dword ptr [ebp+122D2B4Dh] 0x00000017 xor bh, FFFFFFE2h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F59A4B45078h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 sbb ebx, 2F464C63h 0x0000003c xchg eax, esi 0x0000003d jmp 00007F59A4B45085h 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F59A4B4507Bh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E2670 second address: 6E2675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E457E second address: 6E4584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4584 second address: 6E4588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4588 second address: 6E45B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e nop 0x0000000f add dword ptr [ebp+12456E72h], ebx 0x00000015 push 00000000h 0x00000017 mov bx, 8FBEh 0x0000001b push 00000000h 0x0000001d adc di, 07DCh 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push edi 0x00000026 push edx 0x00000027 pop edx 0x00000028 pop edi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E7F75 second address: 6E7F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E7F7B second address: 6E7F85 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B4507Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD35 second address: 6ECD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD40 second address: 6ECD44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD44 second address: 6ECD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ecx 0x0000000a jmp 00007F59A4B60A1Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007F59A4B60A16h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC6E9 second address: 6EC6ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC82C second address: 6EC830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC830 second address: 6EC85A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F59A4B45086h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F59A4B45076h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC85A second address: 6EC85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFB5C second address: 6EFBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F59A4B45087h 0x0000000e jmp 00007F59A4B45081h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 jg 00007F59A4B45086h 0x0000001e pop eax 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 pushad 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 jc 00007F59A4B45076h 0x0000002b popad 0x0000002c jmp 00007F59A4B45081h 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFBC0 second address: 6EFBC6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFBC6 second address: 6EFBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F59A4B45076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFD9F second address: 6EFDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFDA3 second address: 6EFDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F59A4B4507Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFDBC second address: 6EFDF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F59A4B60A27h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFEAF second address: 6EFEB9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFEB9 second address: 6EFECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F7A0B second address: 6F7A15 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F810F second address: 6F8115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8115 second address: 6F8119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8119 second address: 6F8127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F59A4B60A16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8127 second address: 6F813A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F813A second address: 6F8140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8140 second address: 6F8144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8144 second address: 6F816A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F59A4B60A36h 0x0000000e jnc 00007F59A4B60A18h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F59A4B60A1Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCE5 second address: 6FBCEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCEF second address: 6FBCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCF4 second address: 6FBCFE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F59A4B4507Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCFE second address: 6FBD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD0E second address: 6FBD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD12 second address: 6FBD16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD16 second address: 6FBD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD1C second address: 6FBD37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F59A4B60A16h 0x0000000b jmp 00007F59A4B60A1Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 700DE9 second address: 700E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45083h 0x00000009 popad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jl 00007F59A4B4507Eh 0x00000016 jc 00007F59A4B45076h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jg 00007F59A4B45076h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706D19 second address: 706D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70596B second address: 705994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F59A4B45076h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F59A4B45089h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705E90 second address: 705EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007F59A4B60A1Bh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F59A4B60A22h 0x00000014 jmp 00007F59A4B60A21h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705EC8 second address: 705ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705ECE second address: 705ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7062E6 second address: 7062FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59A4B45076h 0x00000008 jmp 00007F59A4B4507Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7064A9 second address: 7064C9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F59A4B60A26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706779 second address: 70677E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70677E second address: 706788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7054E4 second address: 705511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F59A4B4507Eh 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F59A4B45080h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70BBFA second address: 70BBFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70BBFE second address: 70BC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B30 second address: 6C8B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B3C second address: 6C8B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B4D second address: 513CE1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movsx ecx, dx 0x0000000c push dword ptr [ebp+122D0019h] 0x00000012 or ecx, dword ptr [ebp+122D1839h] 0x00000018 mov edx, dword ptr [ebp+122D17B9h] 0x0000001e call dword ptr [ebp+122D1907h] 0x00000024 pushad 0x00000025 jmp 00007F59A4B60A23h 0x0000002a xor eax, eax 0x0000002c jnl 00007F59A4B60A1Ch 0x00000032 mov dword ptr [ebp+122D1ACDh], esi 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c pushad 0x0000003d call 00007F59A4B60A23h 0x00000042 mov eax, dword ptr [ebp+122D2C91h] 0x00000048 pop ecx 0x00000049 sub dword ptr [ebp+122D1BB2h], esi 0x0000004f popad 0x00000050 mov dword ptr [ebp+122D2C35h], eax 0x00000056 pushad 0x00000057 mov ax, EDDDh 0x0000005b adc di, 6200h 0x00000060 popad 0x00000061 mov esi, 0000003Ch 0x00000066 xor dword ptr [ebp+122D1BB2h], edx 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 stc 0x00000071 lodsw 0x00000073 jo 00007F59A4B60A17h 0x00000079 clc 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e mov dword ptr [ebp+122D1BB2h], edx 0x00000084 js 00007F59A4B60A1Ch 0x0000008a sub dword ptr [ebp+122D1BB2h], ebx 0x00000090 mov ebx, dword ptr [esp+24h] 0x00000094 jno 00007F59A4B60A1Dh 0x0000009a push eax 0x0000009b pushad 0x0000009c pushad 0x0000009d push eax 0x0000009e push edx 0x0000009f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8C6D second address: 6C8C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8C85 second address: 6C8C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8F38 second address: 6C8F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C95B3 second address: 6C95C8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F59A4B60A16h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C95C8 second address: 6C9631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F59A4B45078h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D1BCCh], esi 0x00000028 and dx, EDDDh 0x0000002d push 0000001Eh 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F59A4B45078h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 xor dword ptr [ebp+122D25DBh], edi 0x0000004f nop 0x00000050 jnc 00007F59A4B4507Ah 0x00000056 push eax 0x00000057 pushad 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C994B second address: 6C9951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9A36 second address: 6C9A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9A3C second address: 6AFE78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F59A4B60A16h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dword ptr [ebp+122D3A97h], edx 0x00000013 lea eax, dword ptr [ebp+124883DFh] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F59A4B60A18h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov edi, dword ptr [ebp+122D318Bh] 0x00000039 push eax 0x0000003a js 00007F59A4B60A1Eh 0x00000040 push esi 0x00000041 jnl 00007F59A4B60A16h 0x00000047 pop esi 0x00000048 mov dword ptr [esp], eax 0x0000004b mov dword ptr [ebp+1247C712h], esi 0x00000051 call dword ptr [ebp+122D1AF2h] 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jbe 00007F59A4B60A16h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AC64 second address: 70AC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B4507Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AC9C second address: 70ACA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACA0 second address: 70ACB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jo 00007F59A4B450BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACB3 second address: 70ACBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACBD second address: 70ACD9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B4507Eh 0x0000000d jne 00007F59A4B45076h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8D43 second address: 6C8DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A1Ah 0x00000009 popad 0x0000000a xor dword ptr [esp], 24DE73ABh 0x00000011 call 00007F59A4B60A24h 0x00000016 jmp 00007F59A4B60A28h 0x0000001b pop ecx 0x0000001c call 00007F59A4B60A19h 0x00000021 jmp 00007F59A4B60A26h 0x00000026 push eax 0x00000027 jmp 00007F59A4B60A1Dh 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push esi 0x00000034 pop esi 0x00000035 jmp 00007F59A4B60A22h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFC0 second address: 70AFC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFC4 second address: 70AFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F59A4B60A1Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F59A4B60A22h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFF7 second address: 70AFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFFC second address: 70B002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B122 second address: 70B154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45081h 0x00000009 popad 0x0000000a push edx 0x0000000b jnl 00007F59A4B45076h 0x00000011 jg 00007F59A4B45076h 0x00000017 pop edx 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c popad 0x0000001d push edi 0x0000001e jng 00007F59A4B4507Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B5F2 second address: 70B62D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Ah 0x00000007 jmp 00007F59A4B60A1Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B60A26h 0x00000015 jnl 00007F59A4B60A16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B62D second address: 70B64B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Fh 0x00000007 jmp 00007F59A4B4507Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B64B second address: 70B666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71254E second address: 71255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F59A4B45076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71255C second address: 712561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7111FA second address: 711201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7114F3 second address: 711521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F59A4B60A1Eh 0x0000000d pushad 0x0000000e jmp 00007F59A4B60A20h 0x00000013 jnp 00007F59A4B60A16h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711BAA second address: 711BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F59A4B4507Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711BB9 second address: 711BDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push edi 0x0000000a jmp 00007F59A4B60A25h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711D8B second address: 711D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EC1 second address: 711EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EC6 second address: 711EFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F59A4B45076h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F59A4B45089h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e je 00007F59A4B45076h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EFE second address: 711F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7121B3 second address: 7121B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7121B7 second address: 7121D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F59A4B60A1Eh 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7146C8 second address: 7146CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148B7 second address: 7148BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148BD second address: 7148C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148C1 second address: 7148C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148C5 second address: 7148CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148CB second address: 7148E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59A4B60A23h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 717452 second address: 71745D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F59A4B45076h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71745D second address: 717462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 717462 second address: 717468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE12 second address: 71DE16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE16 second address: 71DE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45085h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F59A4B45082h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE39 second address: 71DE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D66B second address: 71D682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B45082h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D682 second address: 71D688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D7DE second address: 71D7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D7E2 second address: 71D7F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DB56 second address: 71DB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DB5C second address: 71DB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72277C second address: 722782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722782 second address: 72278E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F59A4B60A16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72278E second address: 722793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722793 second address: 722798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228CD second address: 7228D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228D1 second address: 7228EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228EA second address: 72291D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F59A4B45080h 0x0000000b jnc 00007F59A4B45083h 0x00000011 jne 00007F59A4B4507Eh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722A3E second address: 722A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jno 00007F59A4B60A16h 0x0000000c jng 00007F59A4B60A16h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722A57 second address: 722A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C939C second address: 6C9444 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F59A4B60A1Bh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d jnc 00007F59A4B60A18h 0x00000013 pop ecx 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D1BB2h], ebx 0x0000001b mov ebx, dword ptr [ebp+1248841Eh] 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F59A4B60A18h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b mov dx, BE01h 0x0000003f pushad 0x00000040 mov dword ptr [ebp+1247348Ah], edx 0x00000046 jne 00007F59A4B60A1Ch 0x0000004c popad 0x0000004d add eax, ebx 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F59A4B60A18h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 adc dh, 00000052h 0x0000006c push eax 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F59A4B60A28h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BD1 second address: 723BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BD5 second address: 723BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A29h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BF4 second address: 723C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F59A4B45076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72734C second address: 727350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 727623 second address: 727629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC5A second address: 72FC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC5E second address: 72FC62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC62 second address: 72FC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F59A4B60A26h 0x0000000e jmp 00007F59A4B60A1Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72DE9B second address: 72DEBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E86A second address: 72E86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EE27 second address: 72EE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EE2D second address: 72EE76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A20h 0x00000007 jng 00007F59A4B60A16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F59A4B60A23h 0x0000001a jmp 00007F59A4B60A26h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 739625 second address: 73962B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73962B second address: 73963B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F59A4B60A16h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738817 second address: 738830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F59A4B45082h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738830 second address: 738834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7391A6 second address: 7391BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F59A4B45076h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7391BB second address: 7391CD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B60A16h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD14 second address: 73FD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F59A4B4507Ch 0x0000000a jmp 00007F59A4B45085h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 jno 00007F59A4B4507Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD4E second address: 73FD53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD53 second address: 73FD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740158 second address: 74015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74015C second address: 740160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740160 second address: 740166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740166 second address: 74016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74016C second address: 74018E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F59A4B60A16h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F59A4B60A1Ch 0x00000013 jg 00007F59A4B60A18h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7406AE second address: 7406DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F59A4B4507Ch 0x0000000c jnl 00007F59A4B45076h 0x00000012 popad 0x00000013 jl 00007F59A4B45093h 0x00000019 jmp 00007F59A4B4507Dh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7406DA second address: 7406DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F7DA second address: 73F802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007F59A4B45085h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F802 second address: 73F820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F59A4B60A29h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871A4 second address: 6871AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871AF second address: 6871B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871B3 second address: 6871BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7489ED second address: 7489FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7489FB second address: 748A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7570DF second address: 7570EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA0A second address: 75FA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA10 second address: 75FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A1Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA23 second address: 75FA2D instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA2D second address: 75FA32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768302 second address: 768316 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F59A4B45076h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768316 second address: 768330 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F59A4B60A16h 0x00000008 jmp 00007F59A4B60A20h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768330 second address: 768335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768150 second address: 76815A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59A4B60A16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76815A second address: 76817B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F59A4B45085h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76817B second address: 76817F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76817F second address: 7681B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F59A4B45085h 0x00000014 popad 0x00000015 push edi 0x00000016 push edx 0x00000017 pop edx 0x00000018 ja 00007F59A4B45076h 0x0000001e pop edi 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7701F4 second address: 770208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77049F second address: 7704F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F59A4B4507Bh 0x0000000a jmp 00007F59A4B45081h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F59A4B45085h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b jl 00007F59A4B45076h 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F59A4B45082h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 770685 second address: 77068A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77068A second address: 770694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 774679 second address: 77469C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F59A4B60A16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F59A4B60A20h 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77469C second address: 7746AA instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746AA second address: 7746B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746B4 second address: 7746D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F59A4B45082h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746D2 second address: 7746D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77481E second address: 774822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777C9B second address: 777C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777C9F second address: 777CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CA5 second address: 777CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 jmp 00007F59A4B60A1Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CCF second address: 777CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CD3 second address: 777CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CD9 second address: 777CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78753B second address: 78753F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7873A6 second address: 7873DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jnc 00007F59A4B45076h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F59A4B45089h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F59A4B4507Bh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1A5 second address: 7AF1A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1A9 second address: 7AF1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F59A4B45089h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1DC second address: 7AF1F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B60A1Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6D6 second address: 7AF6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6DA second address: 7AF6EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59A4B60A1Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6EE second address: 7AF6F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6F6 second address: 7AF6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6FA second address: 7AF6FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF9CA second address: 7AF9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F59A4B60A16h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFD6E second address: 7AFD84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F59A4B4507Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B5D97 second address: 7B5DA3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B60A16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7D54 second address: 7B7D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E75 second address: 4B10E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E79 second address: 4B10E93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E93 second address: 4B10EA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10EA5 second address: 4B10EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10EA9 second address: 4B10F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F59A4B60A5Ch 0x0000000e jmp 00007F59A4B60A27h 0x00000013 add eax, ecx 0x00000015 pushad 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F59A4B60A22h 0x0000001d and ax, 2D88h 0x00000022 jmp 00007F59A4B60A1Bh 0x00000027 popfd 0x00000028 mov eax, 410F41FFh 0x0000002d popad 0x0000002e popad 0x0000002f mov eax, dword ptr [eax+00000860h] 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F59A4B60A1Dh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10F13 second address: 4B10FB9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F59A4B45080h 0x00000008 sbb esi, 1B2A4318h 0x0000000e jmp 00007F59A4B4507Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ch, 4Ah 0x00000018 popad 0x00000019 test eax, eax 0x0000001b jmp 00007F59A4B4507Bh 0x00000020 je 00007F5A1696AE8Bh 0x00000026 pushad 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F59A4B45082h 0x0000002e adc si, E4A8h 0x00000033 jmp 00007F59A4B4507Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F59A4B45088h 0x0000003f xor ch, 00000008h 0x00000042 jmp 00007F59A4B4507Bh 0x00000047 popfd 0x00000048 popad 0x00000049 mov edi, eax 0x0000004b popad 0x0000004c test byte ptr [eax+04h], 00000005h 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F59A4B45081h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CDFEA second address: 6CDFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CDFEF second address: 6CDFF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 513D6B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6BFBBD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6BE36F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6E7FBF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 74EF0B instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 4508

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2163004974.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162849161.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F5BB0 LdrInitializeThunk,

0_2_004F5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

ID:	1529360
Product:	CloudBasic
Start time:	22:31:09
Start date:	08.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0d807d16e7731b2dd9cb3048b3a13f14
SHA1:	bbb157924fdaa9990df2254d740495c95f15c1c8
SHA256:	08643496ffbec35a84e902dbdbfe27b8b1043d66627dec62d3c6a2f0de76111c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by